From f00b4f076544a0b19b29cd74923f72f355fb513a Mon Sep 17 00:00:00 2001 From: subhashish-devtron Date: Fri, 19 Apr 2024 17:03:37 +0530 Subject: [PATCH 1/2] cherry-pick --- .../security/ImageScanHistoryRepository.go | 71 +- .../ResourceScanExecutionRepository.go | 53 + .../ScanToolExecutionHistoryMapping.go | 1 + report.json | 109997 +++++++++++++++ scripts/sql/238_resource_scan.down.sql | 5 + scripts/sql/238_resource_scan.up.sql | 2 + scripts/sql/239_code_image_scan.down.sql | 21 + scripts/sql/239_code_image_scan.up.sql | 116 + 8 files changed, 110260 insertions(+), 6 deletions(-) create mode 100644 internal/sql/repository/security/ResourceScanExecutionRepository.go create mode 100644 report.json create mode 100644 scripts/sql/238_resource_scan.down.sql create mode 100644 scripts/sql/238_resource_scan.up.sql create mode 100644 scripts/sql/239_code_image_scan.down.sql create mode 100644 scripts/sql/239_code_image_scan.up.sql diff --git a/internal/sql/repository/security/ImageScanHistoryRepository.go b/internal/sql/repository/security/ImageScanHistoryRepository.go index a9df49060f..19a473db9b 100644 --- a/internal/sql/repository/security/ImageScanHistoryRepository.go +++ b/internal/sql/repository/security/ImageScanHistoryRepository.go @@ -18,20 +18,79 @@ package security import ( + serverBean "github.com/devtron-labs/devtron/pkg/server/bean" "github.com/go-pg/pg" "go.uber.org/zap" "time" ) type ImageScanExecutionHistory struct { - tableName struct{} `sql:"image_scan_execution_history" pg:",discard_unknown_columns"` - Id int `sql:"id,pk"` - Image string `sql:"image,notnull"` - ImageHash string `sql:"image_hash,notnull"` - ExecutionTime time.Time `sql:"execution_time"` - ExecutedBy int `sql:"executed_by,notnull"` + tableName struct{} `sql:"image_scan_execution_history" pg:",discard_unknown_columns"` + Id int `sql:"id,pk"` + Image string `sql:"image,notnull"` + ImageHash string `sql:"image_hash,notnull"` // TODO Migrate to request metadata + ExecutionTime time.Time `sql:"execution_time"` + ExecutedBy int `sql:"executed_by,notnull"` + SourceMetadataJson string `sql:"source_metadata_json"` // to have relevant info to process a scan for a given source type and subtype + ExecutionHistoryDirectoryPath string `sql:"execution_history_directory_path"` // Deprecated + SourceType SourceType `sql:"source_type"` + SourceSubType SourceSubType `sql:"source_sub_type"` + ResourceScanExecutionResult *ResourceScanExecutionResult + ScanToolExecutionHistoryMapping *ScanToolExecutionHistoryMapping } +func (ed *ExecutionData) IsBuiltImage() bool { + return ed.SourceType == SourceTypeImage && ed.SourceSubType == SourceSubTypeCi +} + +func (ed *ExecutionData) IsManifestImage() bool { + return ed.SourceType == SourceTypeImage && ed.SourceSubType == SourceSubTypeManifest +} + +func (ed *ExecutionData) IsManifest() bool { + return ed.SourceType == SourceTypeCode && ed.SourceSubType == SourceSubTypeManifest +} + +func (ed *ExecutionData) IsCode() bool { + return ed.SourceType == SourceTypeCode && ed.SourceSubType == SourceSubTypeCi +} + +func (ed *ExecutionData) ContainsType(typeToCheck ResourceScanType) bool { + for _, scanType := range ed.Types { + if scanType == int(typeToCheck) { + return true + } + } + return false +} + +type ExecutionData struct { + Image string + ScanDataJson string + StartedOn time.Time + ScanToolName string + SourceType SourceType + SourceSubType SourceSubType + Types []int `sql:"types" pg:",array"` + Status serverBean.ScanExecutionProcessState +} + +// multiple history rows for one source event +type SourceType int + +const ( + SourceTypeImage SourceType = 1 + SourceTypeCode SourceType = 2 + SourceTypeSbom SourceType = 3 // can be used in future for direct sbom scanning +) + +type SourceSubType int + +const ( + SourceSubTypeCi SourceSubType = 1 // relevant for ci code(2,1) or ci built image(1,1) + SourceSubTypeManifest SourceSubType = 2 // relevant for devtron app deployment manifest/helm app manifest(2,2) or images retrieved from manifest(1,2)) +) + type ImageScanHistoryRepository interface { Save(model *ImageScanExecutionHistory) error FindAll() ([]*ImageScanExecutionHistory, error) diff --git a/internal/sql/repository/security/ResourceScanExecutionRepository.go b/internal/sql/repository/security/ResourceScanExecutionRepository.go new file mode 100644 index 0000000000..8d0c88fd87 --- /dev/null +++ b/internal/sql/repository/security/ResourceScanExecutionRepository.go @@ -0,0 +1,53 @@ +package security + +import ( + "github.com/go-pg/pg" + "go.uber.org/zap" +) + +type ResourceScanExecutionResult struct { + tableName struct{} `sql:"resource_scan_execution_result" pg:",discard_unknown_columns"` + Id int `sql:"id,pk"` + ImageScanExecutionHistoryId int `sql:"image_scan_execution_history_id"` + ScanDataJson string `sql:"scan_data_json"` + Format ResourceScanFormat `sql:"format"` + Types []ResourceScanType `sql:"types"` + ScanToolId int `sql:"scan_tool_id"` +} + +type ResourceScanFormat int + +const ( + CycloneDxSbom ResourceScanFormat = 1 // SBOM + TrivyJson = 2 + Json = 3 +) + +type ResourceScanType int + +const ( + Vulnerabilities ResourceScanType = 1 + License = 2 + Config = 3 + Secrets = 4 +) + +type ResourceScanResultRepository interface { + SaveInBatch(tx *pg.Tx, models []*ResourceScanExecutionResult) error +} + +type ResourceScanResultRepositoryImpl struct { + dbConnection *pg.DB + logger *zap.SugaredLogger +} + +func NewResourceScanResultRepositoryImpl(dbConnection *pg.DB, logger *zap.SugaredLogger) *ResourceScanResultRepositoryImpl { + return &ResourceScanResultRepositoryImpl{ + dbConnection: dbConnection, + logger: logger, + } +} + +func (impl ResourceScanResultRepositoryImpl) SaveInBatch(tx *pg.Tx, models []*ResourceScanExecutionResult) error { + return tx.Insert(&models) +} diff --git a/internal/sql/repository/security/ScanToolExecutionHistoryMapping.go b/internal/sql/repository/security/ScanToolExecutionHistoryMapping.go index 0562798f64..1d387ba996 100644 --- a/internal/sql/repository/security/ScanToolExecutionHistoryMapping.go +++ b/internal/sql/repository/security/ScanToolExecutionHistoryMapping.go @@ -17,6 +17,7 @@ type ScanToolExecutionHistoryMapping struct { ExecutionFinishTime time.Time `sql:"execution_finish_time,notnull"` State serverBean.ScanExecutionProcessState `sql:"state"` TryCount int `sql:"try_count"` + ErrorMessage string `sql:"error_message"` sql.AuditLog } diff --git a/report.json b/report.json new file mode 100644 index 0000000000..9854f9ee57 --- /dev/null +++ b/report.json @@ -0,0 +1,109997 @@ +2024-04-12T15:21:30.553Z INFO Need to update DB +2024-04-12T15:21:30.553Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db:2 +2024-04-12T15:21:30.553Z INFO Downloading DB... + +2024-04-12T15:21:36.966Z INFO Vulnerability scanning is enabled +2024-04-12T15:21:36.967Z INFO Misconfiguration scanning is enabled +2024-04-12T15:21:36.967Z INFO Need to update the built-in policies +2024-04-12T15:21:36.967Z INFO Downloading the built-in policies... + +2024-04-12T15:21:38.539Z INFO Secret scanning is enabled +2024-04-12T15:21:38.539Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning +2024-04-12T15:21:38.539Z INFO Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection +2024-04-12T15:21:38.539Z INFO Full license scanning is enabled +2024-04-12T15:24:10.354Z INFO Number of language-specific files: 2 +2024-04-12T15:24:10.360Z INFO Detecting pip vulnerabilities... +2024-04-12T15:24:10.363Z INFO Detecting gomod vulnerabilities... +2024-04-12T15:24:10.370Z INFO Detected config files: 100 +{ + "SchemaVersion": 2, + "CreatedAt": "2024-04-12T15:24:10.379305346Z", + "ArtifactName": "/data", + "ArtifactType": "filesystem", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": "go.mod", + "Class": "lang-pkgs", + "Type": "gomod", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2024-29893", + "PkgID": "github.com/argoproj/argo-cd/v2@v2.8.13", + "PkgName": "github.com/argoproj/argo-cd/v2", + "PkgIdentifier": { + "PURL": "pkg:golang/github.com/argoproj/argo-cd/v2@2.8.13" + }, + "InstalledVersion": "2.8.13", + "FixedVersion": "2.8.14, 2.9.10, 2.10.5", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29893", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Go", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" + }, + "Title": "argo-cd: uncontrolled memory allocation vulnerability", + "Description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-400" + ], + "VendorSeverity": { + "bitnami": 2, + "ghsa": 2, + "redhat": 2 + }, + "CVSS": { + "bitnami": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "V3Score": 6.5 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2024-29893", + "https://github.com/argoproj/argo-cd", + "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d", + "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59", + "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd", + "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29893", + "https://www.cve.org/CVERecord?id=CVE-2024-29893" + ], + "PublishedDate": "2024-03-29T15:15:12.74Z", + "LastModifiedDate": "2024-04-01T01:12:59.077Z" + } + ] + }, + { + "Target": "Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 23, + "Failures": 5, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS001", + "AVDID": "AVD-DS-0001", + "Title": "':latest' tag used", + "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", + "Message": "Specify a tag in the 'FROM' statement for image 'ubuntu'", + "Namespace": "builtin.dockerfile.DS001", + "Query": "data.builtin.dockerfile.DS001.deny", + "Resolution": "Add a tag to the image in the 'FROM' statement", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", + "References": [ + "https://avd.aquasec.com/misconfig/ds001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 12, + "EndLine": 12, + "Code": { + "Lines": [ + { + "Number": 12, + "Content": "FROM ubuntu as devtron-all", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m ubuntu as devtron-all", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS005", + "AVDID": "AVD-DS-0005", + "Title": "ADD instead of COPY", + "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", + "Message": "Consider using 'COPY . /go/src/github.com/devtron-labs/devtron/' command instead of 'ADD . /go/src/github.com/devtron-labs/devtron/'", + "Namespace": "builtin.dockerfile.DS005", + "Query": "data.builtin.dockerfile.DS005.deny", + "Resolution": "Use COPY instead of ADD", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", + "References": [ + "https://docs.docker.com/engine/reference/builder/#add", + "https://avd.aquasec.com/misconfig/ds005" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 8, + "EndLine": 8, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "ADD . /go/src/github.com/devtron-labs/devtron/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /go/src/github.com/devtron-labs/devtron/", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS017", + "AVDID": "AVD-DS-0017", + "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", + "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Namespace": "builtin.dockerfile.DS017", + "Query": "data.builtin.dockerfile.DS017.deny", + "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", + "https://avd.aquasec.com/misconfig/ds017" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 4, + "EndLine": 4, + "Code": { + "Lines": [ + { + "Number": 4, + "Content": "RUN apt update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt update", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS017", + "AVDID": "AVD-DS-0017", + "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", + "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Namespace": "builtin.dockerfile.DS017", + "Query": "data.builtin.dockerfile.DS017.deny", + "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", + "https://avd.aquasec.com/misconfig/ds017" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 14, + "EndLine": 14, + "Code": { + "Lines": [ + { + "Number": 14, + "Content": "RUN apt update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt update", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "charts/devtron/crds/crd-devtron.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "charts/devtron/templates/argocd-secret.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "charts/devtron/templates/rbac.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV044", + "AVDID": "AVD-KSV-0044", + "Title": "No wildcard verb and resource roles", + "Description": "Check whether role permits wildcard verb on wildcard resource", + "Message": "Role permits wildcard verb on wildcard resource", + "Namespace": "builtin.kubernetes.KSV044", + "Query": "data.builtin.kubernetes.KSV044.deny", + "Resolution": "Create a role which does not permit wildcard verb on wildcard resource", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv044", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv044" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 20, + "EndLine": 25, + "Code": { + "Lines": [ + { + "Number": 20, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 21, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'devtron' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 20, + "EndLine": 25, + "Code": { + "Lines": [ + { + "Number": 20, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 21, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "manifests/crds/crd-devtron.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/hyperion/dashboard.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 28, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'envoy' of Deployment 'dashboard' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'dashboard-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"SENTRY_ENV\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"dashboard\" of deployment \"dashboard\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 192, + "EndLine": 192, + "Code": { + "Lines": [ + { + "Number": 192, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"envoy\" of deployment \"dashboard\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 192, + "EndLine": 192, + "Code": { + "Lines": [ + { + "Number": 192, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 218, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 218, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 219, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 227, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 232, + "EndLine": 255, + "Code": { + "Lines": [ + { + "Number": 232, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 233, + "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " containerPort: 80", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 241, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV117", + "AVDID": "AVD-KSV-0117", + "Title": "Prevent binding to privileged ports", + "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", + "Message": "deployment dashboard in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", + "Namespace": "builtin.kubernetes.KSV117", + "Query": "data.builtin.kubernetes.KSV117.deny", + "Resolution": "Do not map the container ports to privileged host ports when starting a container.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://avd.aquasec.com/misconfig/ksv117" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 192, + "EndLine": 192, + "Code": { + "Lines": [ + { + "Number": 192, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "manifests/hyperion/devtron.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 14, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'devtron' of Deployment 'devtron' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'devtron-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"ACD_TIMEOUT\", \"ACD_USERNAME\", \"CACHE_LIMIT\", \"CD_NODE_TAINTS_KEY\", \"CExpirationTime\", \"CI_LOGS_KEY_PREFIX\", \"CI_NODE_TAINTS_KEY\", \"DEFAULT_ARTIFACT_KEY_LOCATION\", \"DEFAULT_BUILD_LOGS_KEY_PREFIX\", \"DEFAULT_CD_ARTIFACT_KEY_LOCATION\", \"DEFAULT_CD_TIMEOUT\", \"DEFAULT_TIMEOUT\", \"DEX_PORT\", \"GIT_SENSOR_TIMEOUT\", \"JwtExpirationTime\", \"LENS_TIMEOUT\", \"MODE\", \"PG_PORT\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 9, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"devtron\" of deployment \"devtron\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 128, + "EndLine": 128, + "Code": { + "Lines": [ + { + "Number": 128, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 180, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/hyperion/migrator.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 140, + "Failures": 38, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV013", + "AVDID": "AVD-KSV-0013", + "Title": "Image tag \":latest\" used", + "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should specify an image tag", + "Namespace": "builtin.kubernetes.KSV013", + "Query": "data.builtin.kubernetes.KSV013.deny", + "Resolution": "Use a specific container image tag that is not 'latest'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", + "References": [ + "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "https://avd.aquasec.com/misconfig/ksv013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"devtron-rollout\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 39, + "EndLine": 39, + "Code": { + "Lines": [ + { + "Number": 39, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-casbin\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 39, + "EndLine": 39, + "Code": { + "Lines": [ + { + "Number": 39, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-devtron\" of job \"postgresql-migrate-devtron\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 53, + "EndLine": 82, + "Code": { + "Lines": [ + { + "Number": 53, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 54, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 62, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 49, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 49, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 50, + "Content": " image: quay.io/bitnami/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 35, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 11, + "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 19, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/hyperion/postgresql.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 41, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV013", + "AVDID": "AVD-KSV-0013", + "Title": "Image tag \":latest\" used", + "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should specify an image tag", + "Namespace": "builtin.kubernetes.KSV013", + "Query": "data.builtin.kubernetes.KSV013.deny", + "Resolution": "Use a specific container image tag that is not 'latest'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", + "References": [ + "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "https://avd.aquasec.com/misconfig/ksv013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"init-chmod-data\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 90, + "EndLine": 90, + "Code": { + "Lines": [ + { + "Number": 90, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"metrics\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 90, + "EndLine": 90, + "Code": { + "Lines": [ + { + "Number": 90, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-postgresql\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 90, + "EndLine": 90, + "Code": { + "Lines": [ + { + "Number": 90, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV105", + "AVDID": "AVD-KSV-0105", + "Title": "Containers must not set runAsUser to 0", + "Description": "Containers should be forbidden from running with a root UID.", + "Message": "securityContext.runAsUser should be set to a value greater than 0", + "Namespace": "builtin.kubernetes.KSV105", + "Query": "data.builtin.kubernetes.KSV105.deny", + "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv105" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 136, + "EndLine": 136, + "Code": { + "Lines": [ + { + "Number": 136, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/bitnami/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 210, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 210, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 211, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 212, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 213, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 219, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/install/devtron-installer.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/install/devtron-operator-configs.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 1, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'devtron-operator-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\"BLOB_STORAGE_PROVIDER\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 15, + "EndLine": 15, + "Code": { + "Lines": [ + { + "Number": 15, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "manifests/install/install.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 14, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'inception' of Deployment 'inception' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'inception' of Deployment 'inception' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'inception' of Deployment 'inception' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'inception' of Deployment 'inception' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'inception' of Deployment 'inception' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"inception\" of deployment \"inception\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 56, + "EndLine": 56, + "Code": { + "Lines": [ + { + "Number": 56, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 81, + "EndLine": 88, + "Code": { + "Lines": [ + { + "Number": 81, + "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 82, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " name: inception", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " -", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " -", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV111", + "AVDID": "AVD-KSV-0111", + "Title": "User with admin access", + "Description": "Either cluster-admin or those granted powerful permissions.", + "Message": "ClusterRoleBinding 'installer' should not bind to roles [\"cluster-admin\", \"admin\", \"edit\"]", + "Namespace": "builtin.kubernetes.KSV111", + "Query": "data.builtin.kubernetes.KSV111.deny", + "Resolution": "Remove binding for clusterrole 'cluster-admin', 'admin' or 'edit'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv111", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv111" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": " name: installer", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: installer", + "FirstCause": true, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "manifests/updates/devtron-clair-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-dashboard-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-external-secret-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-grafana-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-guard-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-kubewatch-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-nats-operator-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-nats-server-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-nats-streaming-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-override-cm.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 151, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'devtron-override-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\" CD_NODE_TAINTS_KEY\", \" CI_NODE_TAINTS_KEY\", \"# GRAFANA_USERNAME\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-0109", + "AVDID": "AVD-KSV-0109", + "Title": "ConfigMap with secrets", + "Description": "Storing secrets in configMaps is unsafe", + "Message": "ConfigMap 'devtron-override-cm' in 'devtroncd' namespace stores secrets in key(s) or value(s) '{\"# GRAFANA_PASSWORD\"}'", + "Namespace": "builtin.kubernetes.KSV0109", + "Query": "data.builtin.kubernetes.KSV0109.deny", + "Resolution": "Remove password/secret from configMap data value", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-0109" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "manifests/updates/devtron-postgresql-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-rollout-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/devtron-workflow-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-argocd-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-clair-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-dashboard-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-external-secret-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-gitsensor-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-grafana-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-guard-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-image-scanner-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-ingress-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-kubelink-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-kubewatch-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-lens-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-minio-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 151, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'minio-override-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\"# accesskey\", \"# secretkey\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-0109", + "AVDID": "AVD-KSV-0109", + "Title": "ConfigMap with secrets", + "Description": "Storing secrets in configMaps is unsafe", + "Message": "ConfigMap 'minio-override-cm' in 'devtroncd' namespace stores secrets in key(s) or value(s) '{\"# secretkey\"}'", + "Namespace": "builtin.kubernetes.KSV0109", + "Query": "data.builtin.kubernetes.KSV0109.deny", + "Resolution": "Remove password/secret from configMap data value", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-0109" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "manifests/updates/production/devtron-minio-storage-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 151, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'minio-storage-override-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\"# accesskey\", \"# secretkey\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-0109", + "AVDID": "AVD-KSV-0109", + "Title": "ConfigMap with secrets", + "Description": "Storing secrets in configMaps is unsafe", + "Message": "ConfigMap 'minio-storage-override-cm' in 'devtroncd' namespace stores secrets in key(s) or value(s) '{\"# secretkey\"}'", + "Namespace": "builtin.kubernetes.KSV0109", + "Query": "data.builtin.kubernetes.KSV0109.deny", + "Resolution": "Remove password/secret from configMap data value", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-0109" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "manifests/updates/production/devtron-nats-operator-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-nats-server-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-nats-streaming-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-notifier-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-override-cm.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 151, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'devtron-override-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\" CD_NODE_TAINTS_KEY\", \" CI_NODE_TAINTS_KEY\", \"# GRAFANA_USERNAME\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-0109", + "AVDID": "AVD-KSV-0109", + "Title": "ConfigMap with secrets", + "Description": "Storing secrets in configMaps is unsafe", + "Message": "ConfigMap 'devtron-override-cm' in 'devtroncd' namespace stores secrets in key(s) or value(s) '{\"# GRAFANA_PASSWORD\"}'", + "Namespace": "builtin.kubernetes.KSV0109", + "Query": "data.builtin.kubernetes.KSV0109.deny", + "Resolution": "Remove password/secret from configMap data value", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-0109" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "manifests/updates/production/devtron-postgresql-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-rollout-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/updates/production/devtron-workflow-override.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/yamls/argocd.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 81, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'dex' of Deployment 'argocd-dex-server' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3567, + "EndLine": 3699, + "Code": { + "Lines": [ + { + "Number": 3567, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3568, + "Content": " - argocd-application-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-application-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3569, + "Content": " - --operation-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --operation-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3570, + "Content": " - \"25\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"25\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3571, + "Content": " - --status-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --status-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3572, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3573, + "Content": " - --kubectl-parallelism-limit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3574, + "Content": " - \"35\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"35\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3575, + "Content": " - --repo-server-timeout-seconds", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3576, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3108, + "EndLine": 3240, + "Code": { + "Lines": [ + { + "Number": 3108, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3109, + "Content": " - entrypoint.sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - entrypoint.sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3110, + "Content": " - argocd-repo-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-repo-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3111, + "Content": " - --redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3112, + "Content": " - argocd-redis:6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-redis:6379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3113, + "Content": " - --repo-cache-expiration", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --repo-cache-expiration", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3114, + "Content": " - 24h", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - 24h", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3115, + "Content": " - --parallelismlimit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --parallelismlimit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3116, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3117, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3317, + "EndLine": 3505, + "Code": { + "Lines": [ + { + "Number": 3317, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3318, + "Content": " - argocd-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3319, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3320, + "Content": " - name: ARGOCD_SERVER_INSECURE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3321, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3322, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3323, + "Content": " key: server.insecure", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3324, + "Content": " name: argocd-cmd-params-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3325, + "Content": " optional: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3326, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3567, + "EndLine": 3699, + "Code": { + "Lines": [ + { + "Number": 3567, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3568, + "Content": " - argocd-application-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-application-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3569, + "Content": " - --operation-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --operation-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3570, + "Content": " - \"25\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"25\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3571, + "Content": " - --status-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --status-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3572, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3573, + "Content": " - --kubectl-parallelism-limit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3574, + "Content": " - \"35\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"35\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3575, + "Content": " - --repo-server-timeout-seconds", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3576, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3108, + "EndLine": 3240, + "Code": { + "Lines": [ + { + "Number": 3108, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3109, + "Content": " - entrypoint.sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - entrypoint.sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3110, + "Content": " - argocd-repo-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-repo-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3111, + "Content": " - --redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3112, + "Content": " - argocd-redis:6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-redis:6379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3113, + "Content": " - --repo-cache-expiration", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --repo-cache-expiration", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3114, + "Content": " - 24h", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - 24h", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3115, + "Content": " - --parallelismlimit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --parallelismlimit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3116, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3117, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3317, + "EndLine": 3505, + "Code": { + "Lines": [ + { + "Number": 3317, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3318, + "Content": " - argocd-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3319, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3320, + "Content": " - name: ARGOCD_SERVER_INSECURE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3321, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3322, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3323, + "Content": " key: server.insecure", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3324, + "Content": " name: argocd-cmd-params-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3325, + "Content": " optional: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3326, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3567, + "EndLine": 3699, + "Code": { + "Lines": [ + { + "Number": 3567, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3568, + "Content": " - argocd-application-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-application-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3569, + "Content": " - --operation-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --operation-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3570, + "Content": " - \"25\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"25\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3571, + "Content": " - --status-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --status-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3572, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3573, + "Content": " - --kubectl-parallelism-limit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3574, + "Content": " - \"35\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"35\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3575, + "Content": " - --repo-server-timeout-seconds", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3576, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3108, + "EndLine": 3240, + "Code": { + "Lines": [ + { + "Number": 3108, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3109, + "Content": " - entrypoint.sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - entrypoint.sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3110, + "Content": " - argocd-repo-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-repo-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3111, + "Content": " - --redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3112, + "Content": " - argocd-redis:6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-redis:6379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3113, + "Content": " - --repo-cache-expiration", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --repo-cache-expiration", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3114, + "Content": " - 24h", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - 24h", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3115, + "Content": " - --parallelismlimit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --parallelismlimit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3116, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3117, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3317, + "EndLine": 3505, + "Code": { + "Lines": [ + { + "Number": 3317, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3318, + "Content": " - argocd-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3319, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3320, + "Content": " - name: ARGOCD_SERVER_INSECURE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3321, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3322, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3323, + "Content": " key: server.insecure", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3324, + "Content": " name: argocd-cmd-params-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3325, + "Content": " optional: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3326, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3567, + "EndLine": 3699, + "Code": { + "Lines": [ + { + "Number": 3567, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3568, + "Content": " - argocd-application-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-application-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3569, + "Content": " - --operation-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --operation-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3570, + "Content": " - \"25\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"25\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3571, + "Content": " - --status-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --status-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3572, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3573, + "Content": " - --kubectl-parallelism-limit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3574, + "Content": " - \"35\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"35\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3575, + "Content": " - --repo-server-timeout-seconds", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3576, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3108, + "EndLine": 3240, + "Code": { + "Lines": [ + { + "Number": 3108, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3109, + "Content": " - entrypoint.sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - entrypoint.sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3110, + "Content": " - argocd-repo-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-repo-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3111, + "Content": " - --redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3112, + "Content": " - argocd-redis:6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-redis:6379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3113, + "Content": " - --repo-cache-expiration", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --repo-cache-expiration", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3114, + "Content": " - 24h", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - 24h", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3115, + "Content": " - --parallelismlimit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --parallelismlimit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3116, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3117, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3317, + "EndLine": 3505, + "Code": { + "Lines": [ + { + "Number": 3317, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3318, + "Content": " - argocd-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3319, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3320, + "Content": " - name: ARGOCD_SERVER_INSECURE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3321, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3322, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3323, + "Content": " key: server.insecure", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3324, + "Content": " name: argocd-cmd-params-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3325, + "Content": " optional: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3326, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3567, + "EndLine": 3699, + "Code": { + "Lines": [ + { + "Number": 3567, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3568, + "Content": " - argocd-application-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-application-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3569, + "Content": " - --operation-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --operation-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3570, + "Content": " - \"25\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"25\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3571, + "Content": " - --status-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --status-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3572, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3573, + "Content": " - --kubectl-parallelism-limit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3574, + "Content": " - \"35\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"35\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3575, + "Content": " - --repo-server-timeout-seconds", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3576, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3108, + "EndLine": 3240, + "Code": { + "Lines": [ + { + "Number": 3108, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3109, + "Content": " - entrypoint.sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - entrypoint.sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3110, + "Content": " - argocd-repo-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-repo-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3111, + "Content": " - --redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3112, + "Content": " - argocd-redis:6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-redis:6379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3113, + "Content": " - --repo-cache-expiration", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --repo-cache-expiration", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3114, + "Content": " - 24h", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - 24h", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3115, + "Content": " - --parallelismlimit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --parallelismlimit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3116, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3117, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3317, + "EndLine": 3505, + "Code": { + "Lines": [ + { + "Number": 3317, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3318, + "Content": " - argocd-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3319, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3320, + "Content": " - name: ARGOCD_SERVER_INSECURE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3321, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3322, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3323, + "Content": " key: server.insecure", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3324, + "Content": " name: argocd-cmd-params-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3325, + "Content": " optional: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3326, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3567, + "EndLine": 3699, + "Code": { + "Lines": [ + { + "Number": 3567, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3568, + "Content": " - argocd-application-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-application-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3569, + "Content": " - --operation-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --operation-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3570, + "Content": " - \"25\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"25\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3571, + "Content": " - --status-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --status-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3572, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3573, + "Content": " - --kubectl-parallelism-limit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3574, + "Content": " - \"35\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"35\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3575, + "Content": " - --repo-server-timeout-seconds", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3576, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3108, + "EndLine": 3240, + "Code": { + "Lines": [ + { + "Number": 3108, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3109, + "Content": " - entrypoint.sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - entrypoint.sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3110, + "Content": " - argocd-repo-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-repo-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3111, + "Content": " - --redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3112, + "Content": " - argocd-redis:6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-redis:6379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3113, + "Content": " - --repo-cache-expiration", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --repo-cache-expiration", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3114, + "Content": " - 24h", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - 24h", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3115, + "Content": " - --parallelismlimit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --parallelismlimit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3116, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3117, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3317, + "EndLine": 3505, + "Code": { + "Lines": [ + { + "Number": 3317, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3318, + "Content": " - argocd-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3319, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3320, + "Content": " - name: ARGOCD_SERVER_INSECURE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3321, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3322, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3323, + "Content": " key: server.insecure", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3324, + "Content": " name: argocd-cmd-params-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3325, + "Content": " optional: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3326, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3108, + "EndLine": 3240, + "Code": { + "Lines": [ + { + "Number": 3108, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3109, + "Content": " - entrypoint.sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - entrypoint.sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3110, + "Content": " - argocd-repo-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-repo-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3111, + "Content": " - --redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3112, + "Content": " - argocd-redis:6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-redis:6379", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3113, + "Content": " - --repo-cache-expiration", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --repo-cache-expiration", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3114, + "Content": " - 24h", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - 24h", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3115, + "Content": " - --parallelismlimit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --parallelismlimit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3116, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3117, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3317, + "EndLine": 3505, + "Code": { + "Lines": [ + { + "Number": 3317, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3318, + "Content": " - argocd-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3319, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3320, + "Content": " - name: ARGOCD_SERVER_INSECURE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3321, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3322, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3323, + "Content": " key: server.insecure", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3324, + "Content": " name: argocd-cmd-params-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3325, + "Content": " optional: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3326, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3567, + "EndLine": 3699, + "Code": { + "Lines": [ + { + "Number": 3567, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3568, + "Content": " - argocd-application-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - argocd-application-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3569, + "Content": " - --operation-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --operation-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3570, + "Content": " - \"25\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"25\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3571, + "Content": " - --status-processors", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --status-processors", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3572, + "Content": " - \"50\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"50\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3573, + "Content": " - --kubectl-parallelism-limit", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3574, + "Content": " - \"35\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"35\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3575, + "Content": " - --repo-server-timeout-seconds", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3576, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV044", + "AVDID": "AVD-KSV-0044", + "Title": "No wildcard verb and resource roles", + "Description": "Check whether role permits wildcard verb on wildcard resource", + "Message": "Role permits wildcard verb on wildcard resource", + "Namespace": "builtin.kubernetes.KSV044", + "Query": "data.builtin.kubernetes.KSV044.deny", + "Resolution": "Create a role which does not permit wildcard verb on wildcard resource", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv044", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv044" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2633, + "EndLine": 2638, + "Code": { + "Lines": [ + { + "Number": 2633, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2634, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2635, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2636, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2637, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2638, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'argocd-application-controller' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2633, + "EndLine": 2638, + "Code": { + "Lines": [ + { + "Number": 2633, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2634, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2635, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2636, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2637, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2638, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'argocd-server' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2653, + "EndLine": 2660, + "Code": { + "Lines": [ + { + "Number": 2653, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2654, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2655, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2656, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2657, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2658, + "Content": " - delete", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - delete", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2659, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2660, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "Role 'argocd-dex-server' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2550, + "EndLine": 2561, + "Code": { + "Lines": [ + { + "Number": 2550, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2551, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2552, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2553, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2554, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2555, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2556, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2557, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2558, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2559, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "Role 'argocd-server' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2590, + "EndLine": 2602, + "Code": { + "Lines": [ + { + "Number": 2590, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2591, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2592, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2593, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2594, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2595, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2596, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2597, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2598, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2599, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'argocd-ssh-known-hosts-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2804, + "EndLine": 2804, + "Code": { + "Lines": [ + { + "Number": 2804, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"argocd-application-controller\" of statefulset \"argocd-application-controller\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3531, + "EndLine": 3531, + "Code": { + "Lines": [ + { + "Number": 3531, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"argocd-repo-server\" of deployment \"argocd-repo-server\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3073, + "EndLine": 3073, + "Code": { + "Lines": [ + { + "Number": 3073, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"argocd-server\" of deployment \"argocd-server\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3283, + "EndLine": 3283, + "Code": { + "Lines": [ + { + "Number": 3283, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"copyutil\" of deployment \"argocd-dex-server\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2958, + "EndLine": 2958, + "Code": { + "Lines": [ + { + "Number": 2958, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"copyutil\" of deployment \"argocd-repo-server\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3073, + "EndLine": 3073, + "Code": { + "Lines": [ + { + "Number": 3073, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"dex\" of deployment \"argocd-dex-server\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2958, + "EndLine": 2958, + "Code": { + "Lines": [ + { + "Number": 2958, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"redis\" of deployment \"argocd-redis\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3025, + "EndLine": 3025, + "Code": { + "Lines": [ + { + "Number": 3025, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2986, + "EndLine": 3004, + "Code": { + "Lines": [ + { + "Number": 2986, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2987, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2988, + "Content": " - rundex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - rundex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2989, + "Content": " image: ghcr.io/dexidp/dex:v2.30.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2990, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2991, + "Content": " name: dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2992, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2993, + "Content": " - containerPort: 5556", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2994, + "Content": " - containerPort: 5557", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2995, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3006, + "EndLine": 3018, + "Code": { + "Lines": [ + { + "Number": 3006, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3007, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3008, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3009, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3010, + "Content": " - /shared/argocd-dex", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /shared/argocd-dex", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3011, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3012, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3013, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3014, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 3015, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3059, + "EndLine": 3068, + "Code": { + "Lines": [ + { + "Number": 3059, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3060, + "Content": " - --save", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --save", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3061, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3062, + "Content": " - --appendonly", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - --appendonly", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3063, + "Content": " - \"no\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"no\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3064, + "Content": " image: redis:6.2.6-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3065, + "Content": " imagePullPolicy: Always", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3066, + "Content": " name: redis", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3067, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3068, + "Content": " - containerPort: 6379", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 3242, + "EndLine": 3251, + "Code": { + "Lines": [ + { + "Number": 3242, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 3243, + "Content": " - cp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - cp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3244, + "Content": " - -n", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -\u001b[38;5;166mn", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3245, + "Content": " - /usr/local/bin/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - /usr/local/bin/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3246, + "Content": " - /var/run/argocd/argocd-cmp-server", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /var/run/argocd/argocd-cmp-server", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3247, + "Content": " image: quay.io/argoproj/argocd:v2.4.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3248, + "Content": " name: copyutil", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3249, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3250, + "Content": " - mountPath: /var/run/argocd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 3251, + "Content": " name: var-files", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'argocd-application-controller' shouldn't have access to manage secrets in namespace 'default'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2511, + "EndLine": 2519, + "Code": { + "Lines": [ + { + "Number": 2511, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2512, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2513, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2514, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2515, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2516, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2517, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2518, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2519, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'argocd-dex-server' shouldn't have access to manage secrets in namespace 'default'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2550, + "EndLine": 2561, + "Code": { + "Lines": [ + { + "Number": 2550, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2551, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2552, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2553, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2554, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2555, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2556, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2557, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2558, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2559, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'argocd-server' shouldn't have access to manage secrets in namespace 'default'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 2590, + "EndLine": 2602, + "Code": { + "Lines": [ + { + "Number": 2590, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 2591, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2592, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2593, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2594, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2595, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2596, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2597, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 2598, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 2599, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/clair.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 26, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'clair' of Deployment 'clair' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'clair' of Deployment 'clair' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'clair' of Deployment 'clair' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'clair' of Deployment 'clair' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'clair' of Deployment 'clair' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"clair\" of deployment \"clair\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 37, + "EndLine": 37, + "Code": { + "Lines": [ + { + "Number": 37, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"pg-ready-wait\" of deployment \"clair\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 37, + "EndLine": 37, + "Code": { + "Lines": [ + { + "Number": 37, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 62, + "EndLine": 65, + "Code": { + "Lines": [ + { + "Number": 62, + "Content": " - name: pg-ready-wait", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 63, + "Content": " image: \"quay.io/devtron/postgres:11.3\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " command: [ \"sh\", \"-c\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 94, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " - name: CLAIR_CONF", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " value: /etc/clair/config.yaml", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " - name: CLAIR_MODE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " value: combo", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " name: clair", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/dashboard.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 25, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'envoy' of Deployment 'dashboard' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'dashboard-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"SENTRY_ENV\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 10, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"dashboard\" of deployment \"dashboard\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 193, + "EndLine": 193, + "Code": { + "Lines": [ + { + "Number": 193, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"envoy\" of deployment \"dashboard\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 193, + "EndLine": 193, + "Code": { + "Lines": [ + { + "Number": 193, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 237, + "EndLine": 264, + "Code": { + "Lines": [ + { + "Number": 237, + "Content": " - name: dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 238, + "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 239, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 240, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 241, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 246, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 223, + "EndLine": 236, + "Code": { + "Lines": [ + { + "Number": 223, + "Content": " - name: envoy", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 224, + "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " - containerPort: 9901", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " name: envoy-admin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 230, + "Content": " containerPort: 8790", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 231, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 232, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/devtron-housekeeping.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 10, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV013", + "AVDID": "AVD-KSV-0013", + "Title": "Image tag \":latest\" used", + "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", + "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should specify an image tag", + "Namespace": "builtin.kubernetes.KSV013", + "Query": "data.builtin.kubernetes.KSV013.deny", + "Resolution": "Use a specific container image tag that is not 'latest'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", + "References": [ + "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "https://avd.aquasec.com/misconfig/ksv013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"devtron-housekeeping\" of job \"devtron-housekeeping\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 122, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 132, + "EndLine": 151, + "Code": { + "Lines": [ + { + "Number": 132, + "Content": " - name: devtron-housekeeping", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 133, + "Content": " image: quay.io/devtron/kubectl:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " - name: RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " configMapKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " name: devtron-operator-cm", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " key: DEVTRON_HELM_RELEASE_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 141, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/devtron-ingress-legacy.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/yamls/devtron-ingress.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/yamls/devtron.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 13, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'devtron' of Deployment 'devtron' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'devtron-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"ACD_TIMEOUT\", \"ACD_USERNAME\", \"CACHE_LIMIT\", \"CD_NODE_TAINTS_KEY\", \"CExpirationTime\", \"CI_LOGS_KEY_PREFIX\", \"CI_NODE_TAINTS_KEY\", \"DEFAULT_ARTIFACT_KEY_LOCATION\", \"DEFAULT_BUILD_LOGS_KEY_PREFIX\", \"DEFAULT_CD_ARTIFACT_KEY_LOCATION\", \"DEFAULT_CD_TIMEOUT\", \"DEFAULT_TIMEOUT\", \"DEX_PORT\", \"ENFORCER_CACHE_EXPIRATION_IN_SEC\", \"GIT_SENSOR_PROTOCOL\", \"GIT_SENSOR_TIMEOUT\", \"JwtExpirationTime\", \"LENS_TIMEOUT\", \"MODE\", \"PG_PORT\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 9, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"devtron\" of deployment \"devtron\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 140, + "EndLine": 140, + "Code": { + "Lines": [ + { + "Number": 140, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 212, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " lifecycle:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " preStop:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-0109", + "AVDID": "AVD-KSV-0109", + "Title": "ConfigMap with secrets", + "Description": "Storing secrets in configMaps is unsafe", + "Message": "ConfigMap 'devtron-cm' in 'default' namespace stores secrets in key(s) or value(s) '{\"DEVTRON_SECRET_NAME\"}'", + "Namespace": "builtin.kubernetes.KSV0109", + "Query": "data.builtin.kubernetes.KSV0109.deny", + "Resolution": "Remove password/secret from configMap data value", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-0109" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 9, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/external-secret.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 13, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'devtron-kubernetes-external-secrets' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 275, + "EndLine": 277, + "Code": { + "Lines": [ + { + "Number": 275, + "Content": " - apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 276, + "Content": " resources: [\"secrets\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: [\u001b[38;5;37m\"secrets\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 277, + "Content": " verbs: [\"create\", \"update\", \"get\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"kubernetes-external-secrets\" of deployment \"devtron-kubernetes-external-secrets\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 346, + "EndLine": 346, + "Code": { + "Lines": [ + { + "Number": 346, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 371, + "EndLine": 399, + "Code": { + "Lines": [ + { + "Number": 371, + "Content": " - name: kubernetes-external-secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 372, + "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 373, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 374, + "Content": " - name: prometheus", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 375, + "Content": " containerPort: 3001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 376, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 377, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 378, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 379, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 380, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/gitsensor.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 25, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"chown-git-base\" of statefulset \"git-sensor\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 41, + "EndLine": 41, + "Code": { + "Lines": [ + { + "Number": 41, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"git-sensor\" of statefulset \"git-sensor\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 41, + "EndLine": 41, + "Code": { + "Lines": [ + { + "Number": 41, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV105", + "AVDID": "AVD-KSV-0105", + "Title": "Containers must not set runAsUser to 0", + "Description": "Containers should be forbidden from running with a root UID.", + "Message": "securityContext.runAsUser should be set to a value greater than 0", + "Namespace": "builtin.kubernetes.KSV105", + "Query": "data.builtin.kubernetes.KSV105.deny", + "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv105" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 75, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 66, + "EndLine": 80, + "Code": { + "Lines": [ + { + "Number": 66, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 67, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - -c", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -c", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " name: chown-git-base", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources: {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 75, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 82, + "EndLine": 100, + "Code": { + "Lines": [ + { + "Number": 82, + "Content": " - name: git-sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 83, + "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 84, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 85, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 86, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " - containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " name: sensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 91, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/grafana.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 81, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'devtron-grafana-clusterrole' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 291, + "EndLine": 293, + "Code": { + "Lines": [ + { + "Number": 291, + "Content": "- apiGroups: [\"\"] # \"\" indicates the core API group", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m] \u001b[38;5;239m# \"\" indicates the core API group", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 292, + "Content": " resources: [\"configmaps\", \"secrets\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m: [\u001b[38;5;37m\"configmaps\"\u001b[0m, \u001b[38;5;37m\"secrets\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 293, + "Content": " verbs: [\"get\", \"watch\", \"list\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"devtron-test\" of pod \"devtron-grafana-test\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 610, + "EndLine": 610, + "Code": { + "Lines": [ + { + "Number": 610, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"download-dashboards\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 416, + "EndLine": 416, + "Code": { + "Lines": [ + { + "Number": 416, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"grafana\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 416, + "EndLine": 416, + "Code": { + "Lines": [ + { + "Number": 416, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"grafana-sc-dashboard\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 416, + "EndLine": 416, + "Code": { + "Lines": [ + { + "Number": 416, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"grafana-sc-datasources\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 416, + "EndLine": 416, + "Code": { + "Lines": [ + { + "Number": 416, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"init-chown-data\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 416, + "EndLine": 416, + "Code": { + "Lines": [ + { + "Number": 416, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV105", + "AVDID": "AVD-KSV-0105", + "Title": "Containers must not set runAsUser to 0", + "Description": "Containers should be forbidden from running with a root UID.", + "Message": "securityContext.runAsUser should be set to a value greater than 0", + "Namespace": "builtin.kubernetes.KSV105", + "Query": "data.builtin.kubernetes.KSV105.deny", + "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv105" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 459, + "EndLine": 460, + "Code": { + "Lines": [ + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 628, + "EndLine": 635, + "Code": { + "Lines": [ + { + "Number": 628, + "Content": " - name: devtron-test", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 629, + "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 630, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 631, + "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 632, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 633, + "Content": " - mountPath: /tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 634, + "Content": " name: tests", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 635, + "Content": " readOnly: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 516, + "EndLine": 565, + "Code": { + "Lines": [ + { + "Number": 516, + "Content": " - name: grafana", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 517, + "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 518, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 519, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 520, + "Content": " - name: config", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 521, + "Content": " mountPath: \"/etc/grafana/grafana.ini\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 522, + "Content": " subPath: grafana.ini", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 523, + "Content": " - name: storage", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 524, + "Content": " mountPath: \"/var/lib/grafana\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 525, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 499, + "EndLine": 515, + "Code": { + "Lines": [ + { + "Number": 499, + "Content": " - name: grafana-sc-dashboard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 500, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 501, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 502, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 503, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 504, + "Content": " value:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 505, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 506, + "Content": " value: \"grafana_dashboard\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 507, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 508, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 481, + "EndLine": 497, + "Code": { + "Lines": [ + { + "Number": 481, + "Content": " - name: grafana-sc-datasources", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 482, + "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 483, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 484, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 485, + "Content": " - name: METHOD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 486, + "Content": " value: LIST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 487, + "Content": " - name: LABEL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 488, + "Content": " value: \"grafana_datasource\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 489, + "Content": " - name: FOLDER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 490, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 467, + "EndLine": 480, + "Code": { + "Lines": [ + { + "Number": 467, + "Content": " - name: download-dashboards", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 468, + "Content": " image: \"quay.io/devtron/curl:7.73.0\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 469, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 470, + "Content": " command: [\"/bin/sh\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 471, + "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 472, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 473, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 474, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 475, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 476, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 455, + "EndLine": 466, + "Code": { + "Lines": [ + { + "Number": 455, + "Content": " - name: init-chown-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 456, + "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 457, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 458, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 459, + "Content": " runAsNonRoot: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 460, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 461, + "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 462, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 463, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 464, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV117", + "AVDID": "AVD-KSV-0117", + "Title": "Prevent binding to privileged ports", + "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", + "Message": "deployment devtron-grafana in devtroncd namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", + "Namespace": "builtin.kubernetes.KSV117", + "Query": "data.builtin.kubernetes.KSV117.deny", + "Resolution": "Do not map the container ports to privileged host ports when starting a container.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/", + "https://avd.aquasec.com/misconfig/ksv117" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 416, + "EndLine": 416, + "Code": { + "Lines": [ + { + "Number": 416, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/guard.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 13, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'guard' of Deployment 'guard' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'guard' of Deployment 'guard' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'guard' of Deployment 'guard' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'guard' of Deployment 'guard' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'guard' of Deployment 'guard' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"guard\" of deployment \"guard\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 28, + "EndLine": 28, + "Code": { + "Lines": [ + { + "Number": 28, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 58, + "EndLine": 86, + "Code": { + "Lines": [ + { + "Number": 58, + "Content": " - name: guard", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 59, + "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 63, + "Content": " containerPort: 8080", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 64, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 65, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 66, + "Content": " - -alsologtostderr", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -alsologtostderr", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 67, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/hpa.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/yamls/image-scanner.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 12, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'image-scanner' of Deployment 'image-scanner' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'image-scanner-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"PG_PORT\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 9, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"image-scanner\" of deployment \"image-scanner\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 45, + "EndLine": 45, + "Code": { + "Lines": [ + { + "Number": 45, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 102, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: image-scanner", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/kubelink.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 11, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'kubelink' of Deployment 'kubelink' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"kubelink\" of deployment \"kubelink\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 27, + "EndLine": 48, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": " - name: kubelink", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 28, + "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 33, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 36, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/kubewatch.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 11, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'kubewatch' of Deployment 'kubewatch' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"kubewatch\" of deployment \"kubewatch\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 134, + "EndLine": 134, + "Code": { + "Lines": [ + { + "Number": 134, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 187, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - name: kubewatch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: devtroncd_NAMESPACE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " value: \"devtron-ci\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 175, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/lens.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 12, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'lens' of Deployment 'lens' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'lens' of Deployment 'lens' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'lens' of Deployment 'lens' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'lens' of Deployment 'lens' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'lens' of Deployment 'lens' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'lens' of Deployment 'lens' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'lens' of Deployment 'lens' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'lens' of Deployment 'lens' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'lens-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"GIT_SENSOR_PROTOCOL\", \"PG_PORT\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 8, + "EndLine": 8, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"lens\" of deployment \"lens\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 43, + "EndLine": 43, + "Code": { + "Lines": [ + { + "Number": 43, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 73, + "EndLine": 98, + "Code": { + "Lines": [ + { + "Number": 73, + "Content": " - name: lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 74, + "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 82, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/migrator.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 80, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV013", + "AVDID": "AVD-KSV-0013", + "Title": "Image tag \":latest\" used", + "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should specify an image tag", + "Namespace": "builtin.kubernetes.KSV013", + "Query": "data.builtin.kubernetes.KSV013.deny", + "Resolution": "Use a specific container image tag that is not 'latest'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", + "References": [ + "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "https://avd.aquasec.com/misconfig/ksv013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"chart-sync\" of cronjob \"app-sync-cronjob\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 249, + "EndLine": 249, + "Code": { + "Lines": [ + { + "Number": 249, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"devtron-rollout\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 57, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 57, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-casbin\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 57, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 57, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-devtron\" of job \"postgresql-migrate-devtron\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 11, + "EndLine": 11, + "Code": { + "Lines": [ + { + "Number": 11, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-gitsensor\" of job \"postgresql-migrate-gitsensor\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 112, + "EndLine": 112, + "Code": { + "Lines": [ + { + "Number": 112, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-lens\" of job \"postgresql-migrate-lens\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 158, + "EndLine": 158, + "Code": { + "Lines": [ + { + "Number": 158, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-miscellaneous\" of job \"postgresql-miscellaneous\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 204, + "EndLine": 204, + "Code": { + "Lines": [ + { + "Number": 204, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 24, + "EndLine": 53, + "Code": { + "Lines": [ + { + "Number": 24, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 25, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 29, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 30, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 31, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 32, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 33, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 73, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": " - name: devtron-rollout", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " image: \"quay.io/devtron/kubectl:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 75, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 75, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 76, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 81, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 82, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 83, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 84, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 154, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 126, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 134, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 171, + "EndLine": 200, + "Code": { + "Lines": [ + { + "Number": 171, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 172, + "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 179, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 180, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 221, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 221, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 222, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " allowPrivilegeEscalation: false", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 225, + "Content": " runAsUser: 1000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 226, + "Content": " runAsNonRoot: true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 227, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 228, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 229, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 230, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 261, + "EndLine": 272, + "Code": { + "Lines": [ + { + "Number": 261, + "Content": " - name: chart-sync", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 262, + "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 263, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 264, + "Content": " - name: PG_ADDR", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 265, + "Content": " value: postgresql-postgresql.devtroncd", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 266, + "Content": " - name: PG_DATABASE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 267, + "Content": " value: orchestrator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 268, + "Content": " - name: PG_USER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 269, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 270, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/minio-storage.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 29, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"minio\" of statefulset \"devtron-minio\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 244, + "EndLine": 244, + "Code": { + "Lines": [ + { + "Number": 244, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"minio-mc\" of job \"devtron-minio-make-bucket-job\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 318, + "EndLine": 318, + "Code": { + "Lines": [ + { + "Number": 318, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 281, + "EndLine": 305, + "Code": { + "Lines": [ + { + "Number": 281, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 282, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 283, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 284, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 285, + "Content": " command: [ \"/bin/sh\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " \"-ce\",", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " - name: export", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 290, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 350, + "EndLine": 362, + "Code": { + "Lines": [ + { + "Number": 350, + "Content": " - name: minio-mc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 351, + "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 352, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 353, + "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 354, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 355, + "Content": " - name: MINIO_ENDPOINT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 356, + "Content": " value: devtron-minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 357, + "Content": " - name: MINIO_PORT", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 358, + "Content": " value: \"9000\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 359, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-0109", + "AVDID": "AVD-KSV-0109", + "Title": "ConfigMap with secrets", + "Description": "Storing secrets in configMaps is unsafe", + "Message": "ConfigMap 'devtron-minio' in 'default' namespace stores secrets in key(s) or value(s) '{\" ACCESS\"}'", + "Namespace": "builtin.kubernetes.KSV0109", + "Query": "data.builtin.kubernetes.KSV0109.deny", + "Resolution": "Remove password/secret from configMap data value", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-0109" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 38, + "EndLine": 38, + "Code": { + "Lines": [ + { + "Number": 38, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'devtron-minio-update-prometheus-secret' shouldn't have access to manage secrets in namespace 'default'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 158, + "EndLine": 168, + "Code": { + "Lines": [ + { + "Number": 158, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 159, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 164, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 165, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 166, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 167, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'devtron-minio-update-prometheus-secret' shouldn't have access to manage secrets in namespace 'default'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 169, + "EndLine": 174, + "Code": { + "Lines": [ + { + "Number": 169, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 170, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/minio.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 16, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"minio\" of deployment \"devtron-minio\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 220, + "EndLine": 220, + "Code": { + "Lines": [ + { + "Number": 220, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 254, + "EndLine": 275, + "Code": { + "Lines": [ + { + "Number": 254, + "Content": " - name: minio", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 255, + "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 256, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 257, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 258, + "Content": " - \"/bin/sh\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 259, + "Content": " - \"-ce\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 260, + "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 261, + "Content": " volumeMounts: ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 262, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 263, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-0109", + "AVDID": "AVD-KSV-0109", + "Title": "ConfigMap with secrets", + "Description": "Storing secrets in configMaps is unsafe", + "Message": "ConfigMap 'devtron-minio' in 'default' namespace stores secrets in key(s) or value(s) '{\" ACCESS\"}'", + "Namespace": "builtin.kubernetes.KSV0109", + "Query": "data.builtin.kubernetes.KSV0109.deny", + "Resolution": "Remove password/secret from configMap data value", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-0109" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 38, + "EndLine": 38, + "Code": { + "Lines": [ + { + "Number": 38, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'devtron-minio-update-prometheus-secret' shouldn't have access to manage secrets in namespace 'default'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 166, + "EndLine": 171, + "Code": { + "Lines": [ + { + "Number": 166, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 167, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'devtron-minio-update-prometheus-secret' shouldn't have access to manage secrets in namespace 'default'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 155, + "EndLine": 165, + "Code": { + "Lines": [ + { + "Number": 155, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 156, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 158, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 159, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 160, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 161, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 162, + "Content": " - update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - update", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 163, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 164, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/namespace.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "manifests/yamls/nats-operator.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 24, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'nats-operator' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 100, + "EndLine": 103, + "Code": { + "Lines": [ + { + "Number": 100, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 101, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 102, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 103, + "Content": " verbs: [\"create\", \"watch\", \"get\", \"update\", \"delete\", \"list\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"delete\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'nats-streaming-operator' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 54, + "EndLine": 64, + "Code": { + "Lines": [ + { + "Number": 54, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - serviceaccounts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - serviceaccounts/token", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts/token", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 63, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV042", + "AVDID": "AVD-KSV-0042", + "Title": "Delete pod logs", + "Description": "Used to cover attacker’s tracks, but most clusters ship logs quickly off-cluster.", + "Message": "ClusterRole 'nats-operator' should not have access to resource 'pods/log' for verbs [\"delete\", \"deletecollection\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV042", + "Query": "data.builtin.kubernetes.KSV042.deny", + "Resolution": "Remove verbs 'delete' and 'deletecollection' for resource 'pods/log' for Role and ClusterRole", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv042", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv042" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 106, + "EndLine": 112, + "Code": { + "Lines": [ + { + "Number": 106, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 107, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 108, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 109, + "Content": " - pods/log", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/log", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 110, + "Content": " - serviceaccounts/token", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts/token", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 111, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 112, + "Content": " verbs: [\"*\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"*\"\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV045", + "AVDID": "AVD-KSV-0045", + "Title": "No wildcard verb roles", + "Description": "Check whether role permits wildcard verb on specific resources", + "Message": "Role permits wildcard verb on specific resources", + "Namespace": "builtin.kubernetes.KSV045", + "Query": "data.builtin.kubernetes.KSV045.deny", + "Resolution": "Create a role which does not permit wildcard verb on specific resources", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv045", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv045" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 54, + "EndLine": 64, + "Code": { + "Lines": [ + { + "Number": 54, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - serviceaccounts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - serviceaccounts/token", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts/token", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 63, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'nats-operator' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 88, + "EndLine": 91, + "Code": { + "Lines": [ + { + "Number": 88, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 89, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " verbs: [\"create\", \"watch\", \"get\", \"patch\", \"update\", \"delete\", \"list\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"patch\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"delete\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'nats-streaming-operator' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 54, + "EndLine": 64, + "Code": { + "Lines": [ + { + "Number": 54, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - serviceaccounts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - serviceaccounts/token", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts/token", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 63, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "ClusterRole 'nats-streaming-operator' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 54, + "EndLine": 64, + "Code": { + "Lines": [ + { + "Number": 54, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - serviceaccounts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - serviceaccounts/token", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts/token", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 63, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV053", + "AVDID": "AVD-KSV-0053", + "Title": "Exec into Pods", + "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", + "Message": "ClusterRole 'nats-operator' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV053", + "Query": "data.builtin.kubernetes.KSV053.deny", + "Resolution": "Remove write permission verbs for resource 'pods/exec'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv053" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 106, + "EndLine": 112, + "Code": { + "Lines": [ + { + "Number": 106, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 107, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 108, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 109, + "Content": " - pods/log", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/log", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 110, + "Content": " - serviceaccounts/token", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts/token", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 111, + "Content": " - events", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - events", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 112, + "Content": " verbs: [\"*\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"*\"\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'nats-operator' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 125, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " verbs: [\"create\", \"watch\", \"get\", \"update\", \"delete\", \"list\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"delete\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'nats-operator' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 94, + "EndLine": 97, + "Code": { + "Lines": [ + { + "Number": 94, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 95, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 96, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 97, + "Content": " verbs: [\"create\", \"watch\", \"get\", \"patch\", \"update\", \"delete\", \"list\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"patch\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"delete\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'nats-streaming-operator' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 54, + "EndLine": 64, + "Code": { + "Lines": [ + { + "Number": 54, + "Content": "- apiGroups: [\"\"]", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 55, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 58, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 59, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 60, + "Content": " - serviceaccounts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 61, + "Content": " - serviceaccounts/token", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - serviceaccounts/token", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 62, + "Content": " - endpoints", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - endpoints", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 63, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"nats-operator\" of deployment \"nats-operator\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 192, + "EndLine": 192, + "Code": { + "Lines": [ + { + "Number": 192, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 213, + "EndLine": 237, + "Code": { + "Lines": [ + { + "Number": 213, + "Content": " - name: nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 214, + "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " - nats-operator", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - nats-operator", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " #- --feature-gates=ClusterScoped=true", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " - name: readyz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 222, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/nats-server.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 53, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV013", + "AVDID": "AVD-KSV-0013", + "Title": "Image tag \":latest\" used", + "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should specify an image tag", + "Namespace": "builtin.kubernetes.KSV013", + "Query": "data.builtin.kubernetes.KSV013.deny", + "Resolution": "Use a specific container image tag that is not 'latest'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", + "References": [ + "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "https://avd.aquasec.com/misconfig/ksv013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"metrics\" of statefulset \"devtron-nats\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 69, + "EndLine": 69, + "Code": { + "Lines": [ + { + "Number": 69, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"nats\" of statefulset \"devtron-nats\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 69, + "EndLine": 69, + "Code": { + "Lines": [ + { + "Number": 69, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"nats-box\" of pod \"devtron-nats-test-request-reply\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 267, + "EndLine": 267, + "Code": { + "Lines": [ + { + "Number": 267, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"reloader\" of statefulset \"devtron-nats\" in \"devtroncd\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 69, + "EndLine": 69, + "Code": { + "Lines": [ + { + "Number": 69, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 133, + "EndLine": 208, + "Code": { + "Lines": [ + { + "Number": 133, + "Content": " - name: nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 134, + "Content": " image: nats:2.9.3-alpine", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 136, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 137, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 138, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 139, + "Content": " - containerPort: 4222", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " name: client", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " - containerPort: 7422", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 142, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 216, + "EndLine": 231, + "Code": { + "Lines": [ + { + "Number": 216, + "Content": " - name: reloader", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 217, + "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " null", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;166mnull", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 221, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 222, + "Content": " - \"nats-server-config-reloader\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 223, + "Content": " - \"-pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 224, + "Content": " - \"/var/run/nats/nats.pid\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 225, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 240, + "EndLine": 256, + "Code": { + "Lines": [ + { + "Number": 240, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 241, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 242, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 243, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 244, + "Content": " {}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " {}", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 245, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 246, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 247, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 248, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 249, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 284, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 284, + "Content": " - name: nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 285, + "Content": " image: quay.io/devtron/nats-box", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 286, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 287, + "Content": " - name: NATS_HOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 288, + "Content": " value: devtron-nats", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 289, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 290, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 291, + "Content": " - -ec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -ec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 292, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 293, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/nats-streaming.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 27, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV013", + "AVDID": "AVD-KSV-0013", + "Title": "Image tag \":latest\" used", + "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should specify an image tag", + "Namespace": "builtin.kubernetes.KSV013", + "Query": "data.builtin.kubernetes.KSV013.deny", + "Resolution": "Use a specific container image tag that is not 'latest'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", + "References": [ + "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "https://avd.aquasec.com/misconfig/ksv013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"metrics\" of statefulset \"devtron-stan\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 63, + "EndLine": 63, + "Code": { + "Lines": [ + { + "Number": 63, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"stan\" of statefulset \"devtron-stan\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 63, + "EndLine": 63, + "Code": { + "Lines": [ + { + "Number": 63, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 127, + "EndLine": 164, + "Code": { + "Lines": [ + { + "Number": 127, + "Content": " - name: stan", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 128, + "Content": " image: quay.io/devtron/nats-streaming:0.23.0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - -sc", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -sc", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " - /etc/stan-config/stan.conf", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /etc/stan-config/stan.conf", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 132, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 133, + "Content": " - name: POD_NAME", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 134, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 135, + "Content": " fieldRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 136, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 170, + "EndLine": 182, + "Code": { + "Lines": [ + { + "Number": 170, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 171, + "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33margs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - -connz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -connz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - -routez", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -routez", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - -subz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -subz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - -varz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -varz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 177, + "Content": " - -channelz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -channelz", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 178, + "Content": " - -serverz", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -serverz", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 179, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/notifier.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 14, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'notifier' of Deployment 'notifier' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "AVD-KSV-01010", + "AVDID": "AVD-KSV-01010", + "Title": "ConfigMap with sensitive content", + "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", + "Message": "ConfigMap 'notifier-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"CD_ENVIRONMENT\", \"DB_PORT\"}'", + "Namespace": "builtin.kubernetes.KSV01010", + "Query": "data.builtin.kubernetes.KSV01010.deny", + "Resolution": "Remove sensitive content from configMap data value", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", + "References": [ + "https://avd.aquasec.com/misconfig/avd-ksv-01010" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 9, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"notifier\" of deployment \"notifier\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 42, + "EndLine": 42, + "Code": { + "Lines": [ + { + "Number": 42, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 68, + "EndLine": 89, + "Code": { + "Lines": [ + { + "Number": 68, + "Content": " - name: notifier", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 69, + "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 71, + "Content": " ports:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mports\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 72, + "Content": " - name: app", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " containerPort: 3000", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " protocol: TCP", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - name: CONFIG_HASH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 77, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/postgresql.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 41, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV013", + "AVDID": "AVD-KSV-0013", + "Title": "Image tag \":latest\" used", + "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should specify an image tag", + "Namespace": "builtin.kubernetes.KSV013", + "Query": "data.builtin.kubernetes.KSV013.deny", + "Resolution": "Use a specific container image tag that is not 'latest'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", + "References": [ + "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "https://avd.aquasec.com/misconfig/ksv013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"init-chmod-data\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 90, + "EndLine": 90, + "Code": { + "Lines": [ + { + "Number": 90, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"metrics\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 90, + "EndLine": 90, + "Code": { + "Lines": [ + { + "Number": 90, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-postgresql\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 90, + "EndLine": 90, + "Code": { + "Lines": [ + { + "Number": 90, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV105", + "AVDID": "AVD-KSV-0105", + "Title": "Containers must not set runAsUser to 0", + "Description": "Containers should be forbidden from running with a root UID.", + "Message": "securityContext.runAsUser should be set to a value greater than 0", + "Namespace": "builtin.kubernetes.KSV105", + "Query": "data.builtin.kubernetes.KSV105.deny", + "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv105" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 136, + "EndLine": 136, + "Code": { + "Lines": [ + { + "Number": 136, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 212, + "EndLine": 246, + "Code": { + "Lines": [ + { + "Number": 212, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 213, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 214, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 215, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 216, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 217, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 218, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 219, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 220, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 221, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 149, + "EndLine": 210, + "Code": { + "Lines": [ + { + "Number": 149, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 150, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 157, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 158, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 122, + "EndLine": 143, + "Code": { + "Lines": [ + { + "Number": 122, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 123, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 124, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " ", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;37m ", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 131, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/rollout.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 19, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'argo-rollouts-clusterrole' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 178, + "EndLine": 189, + "Code": { + "Lines": [ + { + "Number": 178, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 179, + "Content": " - apps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - apps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 180, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 181, + "Content": " - replicasets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 182, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 183, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 184, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 185, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 186, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 187, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'argo-rollouts-clusterrole' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 230, + "EndLine": 241, + "Code": { + "Lines": [ + { + "Number": 230, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 231, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 232, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 233, + "Content": " - jobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - jobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 234, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 235, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 236, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 237, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 238, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 239, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "Role 'argo-rollouts-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 20, + "EndLine": 31, + "Code": { + "Lines": [ + { + "Number": 20, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 21, + "Content": " - apps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - apps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " - replicasets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - replicasets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 25, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 26, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 27, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 28, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 29, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "Role 'argo-rollouts-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 72, + "EndLine": 83, + "Code": { + "Lines": [ + { + "Number": 72, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 73, + "Content": " - batch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - batch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " - jobs", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - jobs", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 77, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 78, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 79, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 80, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 81, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "ClusterRole 'argo-rollouts-clusterrole' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 190, + "EndLine": 198, + "Code": { + "Lines": [ + { + "Number": 190, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 191, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 192, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 193, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 194, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 195, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 196, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 197, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 198, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV056", + "AVDID": "AVD-KSV-0056", + "Title": "Manage Kubernetes networking", + "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", + "Message": "Role 'argo-rollouts-role' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV056", + "Query": "data.builtin.kubernetes.KSV056.deny", + "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv056" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 32, + "EndLine": 40, + "Code": { + "Lines": [ + { + "Number": 32, + "Content": " - apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 33, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 34, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 35, + "Content": " - services", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - services", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 36, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"argo-rollouts\" of deployment \"argo-rollouts\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 300, + "EndLine": 300, + "Code": { + "Lines": [ + { + "Number": 300, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 321, + "EndLine": 328, + "Code": { + "Lines": [ + { + "Number": 321, + "Content": " - command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 322, + "Content": " - /bin/rollouts-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/rollouts-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 323, + "Content": " image: quay.io/devtron/rollout:v0.6.2", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " imagePullPolicy: IfNotPresent", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " name: argo-rollouts", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " volumeMounts:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " - mountPath: /tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " name: tmp", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/serviceaccount.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 11, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'argo-cluster-role' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 169, + "EndLine": 176, + "Code": { + "Lines": [ + { + "Number": 169, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 170, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 174, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 175, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 176, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'argo-ui-cluster-role' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 274, + "EndLine": 279, + "Code": { + "Lines": [ + { + "Number": 274, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 275, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 276, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 277, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 278, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 279, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV041", + "AVDID": "AVD-KSV-0041", + "Title": "Manage secrets", + "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", + "Message": "ClusterRole 'workflow-cluster-role' shouldn't have access to manage resource 'secrets'", + "Namespace": "builtin.kubernetes.KSV041", + "Query": "data.builtin.kubernetes.KSV041.deny", + "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv041" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 71, + "EndLine": 76, + "Code": { + "Lines": [ + { + "Number": 71, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 72, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 73, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 74, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 75, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 76, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV044", + "AVDID": "AVD-KSV-0044", + "Title": "No wildcard verb and resource roles", + "Description": "Check whether role permits wildcard verb on wildcard resource", + "Message": "Role permits wildcard verb on wildcard resource", + "Namespace": "builtin.kubernetes.KSV044", + "Query": "data.builtin.kubernetes.KSV044.deny", + "Resolution": "Create a role which does not permit wildcard verb on wildcard resource", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv044", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv044" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 296, + "EndLine": 301, + "Code": { + "Lines": [ + { + "Number": 296, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 297, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 298, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 299, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 300, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 301, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV046", + "AVDID": "AVD-KSV-0046", + "Title": "Manage all resources", + "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", + "Message": "ClusterRole 'devtron' shouldn't manage all resources", + "Namespace": "builtin.kubernetes.KSV046", + "Query": "data.builtin.kubernetes.KSV046.deny", + "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", + "Severity": "CRITICAL", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv046" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 296, + "EndLine": 301, + "Code": { + "Lines": [ + { + "Number": 296, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 297, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 298, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 299, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 300, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 301, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'argo-cluster-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 148, + "EndLine": 160, + "Code": { + "Lines": [ + { + "Number": 148, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 149, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 150, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 157, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'workflow-cluster-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 35, + "EndLine": 49, + "Code": { + "Lines": [ + { + "Number": 35, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 36, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 44, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'workflow-cluster-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 50, + "EndLine": 57, + "Code": { + "Lines": [ + { + "Number": 50, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 51, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 56, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 57, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV049", + "AVDID": "AVD-KSV-0049", + "Title": "Manage configmaps", + "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", + "Message": "ClusterRole 'workflow-cluster-role' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV049", + "Query": "data.builtin.kubernetes.KSV049.deny", + "Resolution": "Remove write permission verbs for resource 'configmaps'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv049" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 65, + "EndLine": 70, + "Code": { + "Lines": [ + { + "Number": 65, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 66, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 67, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 68, + "Content": " - configmaps", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - configmaps", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 69, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 70, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV053", + "AVDID": "AVD-KSV-0053", + "Title": "Exec into Pods", + "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", + "Message": "ClusterRole 'argo-cluster-role' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV053", + "Query": "data.builtin.kubernetes.KSV053.deny", + "Resolution": "Remove write permission verbs for resource 'pods/exec'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv053" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 148, + "EndLine": 160, + "Code": { + "Lines": [ + { + "Number": 148, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 149, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 150, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 151, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 152, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 153, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 154, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 155, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 156, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 157, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV053", + "AVDID": "AVD-KSV-0053", + "Title": "Exec into Pods", + "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", + "Message": "ClusterRole 'workflow-cluster-role' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV053", + "Query": "data.builtin.kubernetes.KSV053.deny", + "Resolution": "Remove write permission verbs for resource 'pods/exec'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv053" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 35, + "EndLine": 49, + "Code": { + "Lines": [ + { + "Number": 35, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 36, + "Content": " - '*'", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m'*'", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 37, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 38, + "Content": " - deployments", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - deployments", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 39, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 40, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 41, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 42, + "Content": " - watch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - watch", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 43, + "Content": " - patch", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - patch", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 44, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "manifests/yamls/workflow.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 16, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV048", + "AVDID": "AVD-KSV-0048", + "Title": "Manage Kubernetes workloads and pods", + "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", + "Message": "ClusterRole 'argo-cluster-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV048", + "Query": "data.builtin.kubernetes.KSV048.deny", + "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv048" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 184, + "EndLine": 196, + "Code": { + "Lines": [ + { + "Number": 184, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 185, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 186, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 187, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 188, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 189, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 190, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 191, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 192, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 193, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV053", + "AVDID": "AVD-KSV-0053", + "Title": "Exec into Pods", + "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", + "Message": "ClusterRole 'argo-cluster-role' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Namespace": "builtin.kubernetes.KSV053", + "Query": "data.builtin.kubernetes.KSV053.deny", + "Resolution": "Remove write permission verbs for resource 'pods/exec'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv053" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 184, + "EndLine": 196, + "Code": { + "Lines": [ + { + "Number": 184, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 185, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 186, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 187, + "Content": " - pods", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 188, + "Content": " - pods/exec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - pods/exec", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 189, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 190, + "Content": " - create", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - create", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 191, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 192, + "Content": " - list", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - list", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 193, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"workflow-controller\" of deployment \"workflow-controller\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 307, + "EndLine": 307, + "Code": { + "Lines": [ + { + "Number": 307, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 322, + "EndLine": 336, + "Code": { + "Lines": [ + { + "Number": 322, + "Content": " - args:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 323, + "Content": " - --configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 324, + "Content": " - workflow-controller-configmap", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller-configmap", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 325, + "Content": " - --executor-image", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - --executor-image", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 326, + "Content": " - quay.io/argoproj/argoexec:v3.0.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 327, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 328, + "Content": " - workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - workflow-controller", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 329, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 330, + "Content": " - name: LEADER_ELECTION_IDENTITY", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 331, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV113", + "AVDID": "AVD-KSV-0113", + "Title": "Manage namespace secrets", + "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", + "Message": "Role 'argo-role' shouldn't have access to manage secrets in namespace 'default'", + "Namespace": "builtin.kubernetes.KSV113", + "Query": "data.builtin.kubernetes.KSV113.deny", + "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", + "References": [ + "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", + "https://avd.aquasec.com/misconfig/ksv113" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 105, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 105, + "Content": "- apiGroups:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 106, + "Content": " - \"\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;37m\"\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 107, + "Content": " resources:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 108, + "Content": " - secrets", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - secrets", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 109, + "Content": " verbs:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 110, + "Content": " - get", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - get", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "sample-docker-templates/django/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 25, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "sample-docker-templates/flask/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 22, + "Failures": 5, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS005", + "AVDID": "AVD-DS-0005", + "Title": "ADD instead of COPY", + "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", + "Message": "Consider using 'COPY . /app/' command instead of 'ADD . /app/'", + "Namespace": "builtin.dockerfile.DS005", + "Query": "data.builtin.dockerfile.DS005.deny", + "Resolution": "Use COPY instead of ADD", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", + "References": [ + "https://docs.docker.com/engine/reference/builder/#add", + "https://avd.aquasec.com/misconfig/ds005" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 27, + "EndLine": 27, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": "ADD . /app/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /app/", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS017", + "AVDID": "AVD-DS-0017", + "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", + "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Namespace": "builtin.dockerfile.DS017", + "Query": "data.builtin.dockerfile.DS017.deny", + "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", + "https://avd.aquasec.com/misconfig/ds017" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 5, + "EndLine": 6, + "Code": { + "Lines": [ + { + "Number": 5, + "Content": "RUN apt-get clean \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt-get clean \u001b[38;5;124m\\", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 6, + "Content": " \u0026\u0026 apt-get -y update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS029", + "AVDID": "AVD-DS-0029", + "Title": "'apt-get' missing '--no-install-recommends'", + "Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.", + "Message": "'--no-install-recommends' flag is missed: 'apt-get -y install nginx \u0026\u0026 apt-get -y install python3-dev \u0026\u0026 apt-get -y install build-essential'", + "Namespace": "builtin.dockerfile.DS029", + "Query": "data.builtin.dockerfile.DS029.deny", + "Resolution": "Add '--no-install-recommends' flag to 'apt-get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds029", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds029" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 9, + "EndLine": 11, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": "RUN apt-get -y install nginx \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt-get -y install nginx \u001b[38;5;124m\\", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " \u0026\u0026 apt-get -y install python3-dev \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y install python3-dev \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " \u0026\u0026 apt-get -y install build-essential", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y install build-essential", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "sample-docker-templates/go/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 23, + "Failures": 4, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS005", + "AVDID": "AVD-DS-0005", + "Title": "ADD instead of COPY", + "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", + "Message": "Consider using 'COPY . /app/' command instead of 'ADD . /app/'", + "Namespace": "builtin.dockerfile.DS005", + "Query": "data.builtin.dockerfile.DS005.deny", + "Resolution": "Use COPY instead of ADD", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", + "References": [ + "https://docs.docker.com/engine/reference/builder/#add", + "https://avd.aquasec.com/misconfig/ds005" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 15, + "EndLine": 15, + "Code": { + "Lines": [ + { + "Number": 15, + "Content": "ADD . /app/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /app/", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS025", + "AVDID": "AVD-DS-0025", + "Title": "'apk add' is missing '--no-cache'", + "Description": "You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size.", + "Message": "'--no-cache' is missed: apk update \u0026\u0026 apk add ca-certificates \u0026\u0026 rm -rf /var/cache/apk/*", + "Namespace": "builtin.dockerfile.DS025", + "Query": "data.builtin.dockerfile.DS025.deny", + "Resolution": "Add '--no-cache' to 'apk add' in Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds025", + "References": [ + "https://github.com/gliderlabs/docker-alpine/blob/master/docs/usage.md#disabling-cache", + "https://avd.aquasec.com/misconfig/ds025" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 27, + "EndLine": 27, + "Code": { + "Lines": [ + { + "Number": 27, + "Content": "RUN apk update \u0026\u0026 apk add ca-certificates \u0026\u0026 rm -rf /var/cache/apk/*", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apk update \u001b[38;5;245m\u0026\u0026\u001b[0m apk add ca-certificates \u001b[38;5;245m\u0026\u0026\u001b[0m rm -rf /var/cache/apk/*", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "sample-docker-templates/kotlin/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 23, + "Failures": 4, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS001", + "AVDID": "AVD-DS-0001", + "Title": "':latest' tag used", + "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", + "Message": "Specify a tag in the 'FROM' statement for image 'alpine'", + "Namespace": "builtin.dockerfile.DS001", + "Query": "data.builtin.dockerfile.DS001.deny", + "Resolution": "Add a tag to the image in the 'FROM' statement", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", + "References": [ + "https://avd.aquasec.com/misconfig/ds001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 2, + "EndLine": 2, + "Code": { + "Lines": [ + { + "Number": 2, + "Content": "FROM alpine:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m alpine:latest", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS013", + "AVDID": "AVD-DS-0013", + "Title": "'RUN cd ...' to change directory", + "Description": "Use WORKDIR instead of proliferating instructions like 'RUN cd … \u0026\u0026 do-something', which are hard to read, troubleshoot, and maintain.", + "Message": "RUN should not be used to change directory: 'apk add --no-cache build-base wget \u0026\u0026 cd /usr/lib \u0026\u0026 wget 'https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip' \u0026\u0026 unzip kotlin-compiler-*.zip \u0026\u0026 rm kotlin-compiler-*.zip \u0026\u0026 rm -f kotlinc/bin/*.bat;'. Use 'WORKDIR' statement instead.", + "Namespace": "builtin.dockerfile.DS013", + "Query": "data.builtin.dockerfile.DS013.deny", + "Resolution": "Use WORKDIR to change directory", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds013", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir", + "https://avd.aquasec.com/misconfig/ds013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 16, + "EndLine": 23, + "Code": { + "Lines": [ + { + "Number": 16, + "Content": "RUN apk add --no-cache build-base wget \u0026\u0026 \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mRUN\u001b[0m apk add --no-cache build-base wget \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 17, + "Content": " cd /usr/lib \u0026\u0026 \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcd\u001b[0m /usr/lib \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 18, + "Content": " # Installing Kotlin compiler in zip file", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m# Installing Kotlin compiler in zip file", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 19, + "Content": " wget 'https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip' \u0026\u0026 \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m wget \u001b[38;5;37m'https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip'\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 20, + "Content": " # Unzipping the downloaded zip file", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;239m# Unzipping the downloaded zip file", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 21, + "Content": " unzip kotlin-compiler-*.zip \u0026\u0026 \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m unzip kotlin-compiler-*.zip \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": " rm kotlin-compiler-*.zip \u0026\u0026 \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m rm kotlin-compiler-*.zip \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " rm -f kotlinc/bin/*.bat;", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m rm -f kotlinc/bin/*.bat;", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "sample-docker-templates/node/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 22, + "Failures": 5, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS005", + "AVDID": "AVD-DS-0005", + "Title": "ADD instead of COPY", + "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", + "Message": "Consider using 'COPY . /app/' command instead of 'ADD . /app/'", + "Namespace": "builtin.dockerfile.DS005", + "Query": "data.builtin.dockerfile.DS005.deny", + "Resolution": "Use COPY instead of ADD", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", + "References": [ + "https://docs.docker.com/engine/reference/builder/#add", + "https://avd.aquasec.com/misconfig/ds005" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 25, + "EndLine": 25, + "Code": { + "Lines": [ + { + "Number": 25, + "Content": "ADD . /app/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /app/", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS017", + "AVDID": "AVD-DS-0017", + "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", + "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Namespace": "builtin.dockerfile.DS017", + "Query": "data.builtin.dockerfile.DS017.deny", + "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", + "https://avd.aquasec.com/misconfig/ds017" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 8, + "EndLine": 9, + "Code": { + "Lines": [ + { + "Number": 8, + "Content": "RUN apt-get clean \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt-get clean \u001b[38;5;124m\\", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 9, + "Content": " \u0026\u0026 apt-get -y update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y update", + "FirstCause": false, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS029", + "AVDID": "AVD-DS-0029", + "Title": "'apt-get' missing '--no-install-recommends'", + "Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.", + "Message": "'--no-install-recommends' flag is missed: 'apt-get -y install nginx \u0026\u0026 apt-get -y install python3-dev \u0026\u0026 apt-get -y install build-essential'", + "Namespace": "builtin.dockerfile.DS029", + "Query": "data.builtin.dockerfile.DS029.deny", + "Resolution": "Add '--no-install-recommends' flag to 'apt-get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds029", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds029" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 12, + "EndLine": 14, + "Code": { + "Lines": [ + { + "Number": 12, + "Content": "RUN apt-get -y install nginx \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt-get -y install nginx \u001b[38;5;124m\\", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 13, + "Content": " \u0026\u0026 apt-get -y install python3-dev \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y install python3-dev \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " \u0026\u0026 apt-get -y install build-essential", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y install build-essential", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "sample-docker-templates/php/php7.4/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 22, + "Failures": 6, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS005", + "AVDID": "AVD-DS-0005", + "Title": "ADD instead of COPY", + "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", + "Message": "Consider using 'COPY nginx-site.conf /etc/nginx/sites-available/default' command instead of 'ADD nginx-site.conf /etc/nginx/sites-available/default'", + "Namespace": "builtin.dockerfile.DS005", + "Query": "data.builtin.dockerfile.DS005.deny", + "Resolution": "Use COPY instead of ADD", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", + "References": [ + "https://docs.docker.com/engine/reference/builder/#add", + "https://avd.aquasec.com/misconfig/ds005" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 14, + "EndLine": 14, + "Code": { + "Lines": [ + { + "Number": 14, + "Content": "ADD nginx-site.conf /etc/nginx/sites-available/default", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mADD\u001b[0m nginx-site.conf /etc/nginx/sites-available/default", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS017", + "AVDID": "AVD-DS-0017", + "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", + "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", + "Namespace": "builtin.dockerfile.DS017", + "Query": "data.builtin.dockerfile.DS017.deny", + "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", + "https://avd.aquasec.com/misconfig/ds017" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 3, + "EndLine": 3, + "Code": { + "Lines": [ + { + "Number": 3, + "Content": "RUN apt-get update", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS029", + "AVDID": "AVD-DS-0029", + "Title": "'apt-get' missing '--no-install-recommends'", + "Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.", + "Message": "'--no-install-recommends' flag is missed: 'DEBIAN_FRONTEND=\"noninteractive\" apt-get install -y nginx-full'", + "Namespace": "builtin.dockerfile.DS029", + "Query": "data.builtin.dockerfile.DS029.deny", + "Resolution": "Add '--no-install-recommends' flag to 'apt-get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds029", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds029" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 13, + "EndLine": 13, + "Code": { + "Lines": [ + { + "Number": 13, + "Content": "RUN DEBIAN_FRONTEND=\"noninteractive\" apt-get install -y nginx-full", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mRUN\u001b[0m \u001b[38;5;33mDEBIAN_FRONTEND\u001b[0m\u001b[38;5;245m=\u001b[0m\u001b[38;5;37m\"noninteractive\"\u001b[0m apt-get install -y nginx-full", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS029", + "AVDID": "AVD-DS-0029", + "Title": "'apt-get' missing '--no-install-recommends'", + "Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.", + "Message": "'--no-install-recommends' flag is missed: 'DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing php7.4 php7.4-cli php-fpm php7.4-mysql php7.4-curl net-tools'", + "Namespace": "builtin.dockerfile.DS029", + "Query": "data.builtin.dockerfile.DS029.deny", + "Resolution": "Add '--no-install-recommends' flag to 'apt-get'", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds029", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds029" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 6, + "EndLine": 11, + "Code": { + "Lines": [ + { + "Number": 6, + "Content": "RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing php7.4 \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mRUN\u001b[0m \u001b[38;5;33mDEBIAN_FRONTEND\u001b[0m\u001b[38;5;245m=\u001b[0mnoninteractive apt-get install -y --fix-missing php7.4 \u001b[38;5;124m\\", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 7, + "Content": " php7.4-cli \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m php7.4-cli \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 8, + "Content": " php-fpm \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m php-fpm \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 9, + "Content": " php7.4-mysql \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m php7.4-mysql \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 10, + "Content": " php7.4-curl \\", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m php7.4-curl \u001b[38;5;124m\\", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " net-tools", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m net-tools", + "FirstCause": false, + "LastCause": true + } + ] + } + } + } + ] + }, + { + "Target": "sample-docker-templates/react/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 24, + "Failures": 3, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS005", + "AVDID": "AVD-DS-0005", + "Title": "ADD instead of COPY", + "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", + "Message": "Consider using 'COPY . /app/' command instead of 'ADD . /app/'", + "Namespace": "builtin.dockerfile.DS005", + "Query": "data.builtin.dockerfile.DS005.deny", + "Resolution": "Use COPY instead of ADD", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", + "References": [ + "https://docs.docker.com/engine/reference/builder/#add", + "https://avd.aquasec.com/misconfig/ds005" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 10, + "EndLine": 10, + "Code": { + "Lines": [ + { + "Number": 10, + "Content": "ADD . /app/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /app/", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "sample-docker-templates/rust/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 24, + "Failures": 3, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS001", + "AVDID": "AVD-DS-0001", + "Title": "':latest' tag used", + "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", + "Message": "Specify a tag in the 'FROM' statement for image 'alpine'", + "Namespace": "builtin.dockerfile.DS001", + "Query": "data.builtin.dockerfile.DS001.deny", + "Resolution": "Add a tag to the image in the 'FROM' statement", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", + "References": [ + "https://avd.aquasec.com/misconfig/ds001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 2, + "EndLine": 2, + "Code": { + "Lines": [ + { + "Number": 2, + "Content": "FROM alpine:latest", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m alpine:latest", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "scripts/devtron-reference-helm-charts/deployment-chart_1-0-0/test-values.json", + "Class": "config", + "Type": "cloudformation", + "MisconfSummary": { + "Successes": 5, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "scripts/devtron-reference-helm-charts/deployment-chart_1-1-0/test-values.json", + "Class": "config", + "Type": "cloudformation", + "MisconfSummary": { + "Successes": 5, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "scripts/devtron-reference-helm-charts/deployment-chart_4-18-0/test-values.json", + "Class": "config", + "Type": "cloudformation", + "MisconfSummary": { + "Successes": 5, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "scripts/devtron-reference-helm-charts/deployment-chart_4-19-0/test-values.json", + "Class": "config", + "Type": "cloudformation", + "MisconfSummary": { + "Successes": 5, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "scripts/devtron-reference-helm-charts/reference-app-rolling/templates/deployment.yaml", + "Class": "config", + "Type": "helm", + "MisconfSummary": { + "Successes": 102, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "scripts/devtron-reference-helm-charts/reference-app-rolling/templates/hpa.yaml", + "Class": "config", + "Type": "helm", + "MisconfSummary": { + "Successes": 102, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "scripts/devtron-reference-helm-charts/reference-app-rolling/templates/service.yaml", + "Class": "config", + "Type": "helm", + "MisconfSummary": { + "Successes": 103, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "scripts/devtron-reference-helm-charts/reference-app/templates/service-prod.yaml", + "Class": "config", + "Type": "helm", + "MisconfSummary": { + "Successes": 103, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "scripts/devtron-reference-helm-charts/reference-app/templates/servicemonitor.yaml", + "Class": "config", + "Type": "helm", + "MisconfSummary": { + "Successes": 102, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "tests/integrationTesting/migrator.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 140, + "Failures": 65, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-casbin\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 38, + "EndLine": 38, + "Code": { + "Lines": [ + { + "Number": 38, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-devtron\" of job \"postgresql-migrate-devtron\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-gitsensor\" of job \"postgresql-migrate-gitsensor\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 76, + "EndLine": 76, + "Code": { + "Lines": [ + { + "Number": 76, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-migrate-lens\" of job \"postgresql-migrate-lens\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 114, + "EndLine": 114, + "Code": { + "Lines": [ + { + "Number": 114, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-miscellaneous\" of job \"postgresql-miscellaneous\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 152, + "EndLine": 152, + "Code": { + "Lines": [ + { + "Number": 152, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 165, + "EndLine": 181, + "Code": { + "Lines": [ + { + "Number": 165, + "Content": " - name: postgresql-miscellaneous", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 166, + "Content": " image: quay.io/devtron/postgres:11.9", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 167, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 168, + "Content": " - name: PGPASSWORD", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 169, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 170, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 171, + "Content": " name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 172, + "Content": " key: postgresql-password", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 173, + "Content": " - name: PGHOST", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 174, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 123, + "EndLine": 148, + "Code": { + "Lines": [ + { + "Number": 123, + "Content": " - name: postgresql-migrate-lens", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 124, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 125, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 126, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 127, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 128, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 129, + "Content": " value: https://github.com/devtron-labs/lens.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 130, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 131, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 132, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 85, + "EndLine": 110, + "Code": { + "Lines": [ + { + "Number": 85, + "Content": " - name: postgresql-migrate-gitsensor", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 86, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 87, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 88, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 89, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 90, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 91, + "Content": " value: https://github.com/devtron-labs/git-sensor.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 92, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 93, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 94, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 47, + "EndLine": 72, + "Code": { + "Lines": [ + { + "Number": 47, + "Content": " - name: postgresql-migrate-casbin", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 48, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 49, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 50, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 51, + "Content": " value: scripts/casbin/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 52, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 53, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 54, + "Content": " - name: DB_TYPE", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 55, + "Content": " value: postgres", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 56, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 9, + "EndLine": 34, + "Code": { + "Lines": [ + { + "Number": 9, + "Content": " - name: postgresql-migrate-devtron", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 10, + "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 11, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 12, + "Content": " - name: GIT_BRANCH", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 13, + "Content": " value: main", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 14, + "Content": " - name: SCRIPT_LOCATION", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 15, + "Content": " value: scripts/sql/", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 16, + "Content": " - name: GIT_REPO_URL", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 17, + "Content": " value: https://github.com/devtron-labs/devtron.git", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 18, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "tests/integrationTesting/postgresql-secret.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "tests/integrationTesting/postgresql.yaml", + "Class": "config", + "Type": "kubernetes", + "MisconfSummary": { + "Successes": 153, + "Failures": 41, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV001", + "AVDID": "AVD-KSV-0001", + "Title": "Can elevate its own privileges", + "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", + "Namespace": "builtin.kubernetes.KSV001", + "Query": "data.builtin.kubernetes.KSV001.deny", + "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV003", + "AVDID": "AVD-KSV-0003", + "Title": "Default capabilities: some containers do not drop all", + "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", + "Namespace": "builtin.kubernetes.KSV003", + "Query": "data.builtin.kubernetes.KSV003.deny", + "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", + "https://avd.aquasec.com/misconfig/ksv003" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV011", + "AVDID": "AVD-KSV-0011", + "Title": "CPU not limited", + "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", + "Namespace": "builtin.kubernetes.KSV011", + "Query": "data.builtin.kubernetes.KSV011.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv011" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV012", + "AVDID": "AVD-KSV-0012", + "Title": "Runs as root user", + "Description": "Force the running image to run as a non-root user to ensure least privileges.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", + "Namespace": "builtin.kubernetes.KSV012", + "Query": "data.builtin.kubernetes.KSV012.deny", + "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv012" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV013", + "AVDID": "AVD-KSV-0013", + "Title": "Image tag \":latest\" used", + "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should specify an image tag", + "Namespace": "builtin.kubernetes.KSV013", + "Query": "data.builtin.kubernetes.KSV013.deny", + "Resolution": "Use a specific container image tag that is not 'latest'.", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", + "References": [ + "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", + "https://avd.aquasec.com/misconfig/ksv013" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV014", + "AVDID": "AVD-KSV-0014", + "Title": "Root file system is not read-only", + "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", + "Namespace": "builtin.kubernetes.KSV014", + "Query": "data.builtin.kubernetes.KSV014.deny", + "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", + "https://avd.aquasec.com/misconfig/ksv014" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV015", + "AVDID": "AVD-KSV-0015", + "Title": "CPU requests not specified", + "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", + "Namespace": "builtin.kubernetes.KSV015", + "Query": "data.builtin.kubernetes.KSV015.deny", + "Resolution": "Set 'containers[].resources.requests.cpu'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", + "References": [ + "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", + "https://avd.aquasec.com/misconfig/ksv015" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV016", + "AVDID": "AVD-KSV-0016", + "Title": "Memory requests not specified", + "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", + "Namespace": "builtin.kubernetes.KSV016", + "Query": "data.builtin.kubernetes.KSV016.deny", + "Resolution": "Set 'containers[].resources.requests.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv016" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV018", + "AVDID": "AVD-KSV-0018", + "Title": "Memory not limited", + "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", + "Namespace": "builtin.kubernetes.KSV018", + "Query": "data.builtin.kubernetes.KSV018.deny", + "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", + "References": [ + "https://kubesec.io/basics/containers-resources-limits-memory/", + "https://avd.aquasec.com/misconfig/ksv018" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV020", + "AVDID": "AVD-KSV-0020", + "Title": "Runs with UID \u003c= 10000", + "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV020", + "Query": "data.builtin.kubernetes.KSV020.deny", + "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv020" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV021", + "AVDID": "AVD-KSV-0021", + "Title": "Runs with GID \u003c= 10000", + "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", + "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", + "Namespace": "builtin.kubernetes.KSV021", + "Query": "data.builtin.kubernetes.KSV021.deny", + "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", + "References": [ + "https://kubesec.io/basics/containers-securitycontext-runasuser/", + "https://avd.aquasec.com/misconfig/ksv021" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV030", + "AVDID": "AVD-KSV-0030", + "Title": "Runtime/Default Seccomp profile not set", + "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", + "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", + "Namespace": "builtin.kubernetes.KSV030", + "Query": "data.builtin.kubernetes.KSV030.deny", + "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv030" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"init-chmod-data\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 79, + "EndLine": 79, + "Code": { + "Lines": [ + { + "Number": 79, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"metrics\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 79, + "EndLine": 79, + "Code": { + "Lines": [ + { + "Number": 79, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV104", + "AVDID": "AVD-KSV-0104", + "Title": "Seccomp policies disabled", + "Description": "A program inside the container can bypass Seccomp protection policies.", + "Message": "container \"postgresql-postgresql\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", + "Namespace": "builtin.kubernetes.KSV104", + "Query": "data.builtin.kubernetes.KSV104.deny", + "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", + "https://avd.aquasec.com/misconfig/ksv104" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 79, + "EndLine": 79, + "Code": { + "Lines": [ + { + "Number": 79, + "Content": "---", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "---", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV105", + "AVDID": "AVD-KSV-0105", + "Title": "Containers must not set runAsUser to 0", + "Description": "Containers should be forbidden from running with a root UID.", + "Message": "securityContext.runAsUser should be set to a value greater than 0", + "Namespace": "builtin.kubernetes.KSV105", + "Query": "data.builtin.kubernetes.KSV105.deny", + "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv105" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 125, + "EndLine": 125, + "Code": { + "Lines": [ + { + "Number": 125, + "Content": " runAsUser: 0", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 111, + "EndLine": 132, + "Code": { + "Lines": [ + { + "Number": 111, + "Content": " - name: init-chmod-data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 112, + "Content": " image: \"quay.io/devtron/minideb:latest\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 113, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 114, + "Content": " command:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 115, + "Content": " - /bin/sh", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - /bin/sh", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 116, + "Content": " - -cx", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - -cx", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 117, + "Content": " - |", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - |", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 118, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 119, + "Content": " mkdir -p /bitnami/postgresql/data", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " mkdir -p /bitnami/postgresql/data", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 120, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 138, + "EndLine": 199, + "Code": { + "Lines": [ + { + "Number": 138, + "Content": " - name: postgresql-postgresql", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 139, + "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 140, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 141, + "Content": " securityContext:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 142, + "Content": " runAsUser: 1001", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 143, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 144, + "Content": " - name: BITNAMI_DEBUG", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 145, + "Content": " value: \"false\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 146, + "Content": " - name: POSTGRESQL_PORT_NUMBER", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 147, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + }, + { + "Type": "Kubernetes Security Check", + "ID": "KSV106", + "AVDID": "AVD-KSV-0106", + "Title": "Container capabilities must only include NET_BIND_SERVICE", + "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", + "Message": "container should drop all", + "Namespace": "builtin.kubernetes.KSV106", + "Query": "data.builtin.kubernetes.KSV106.deny", + "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", + "References": [ + "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", + "https://avd.aquasec.com/misconfig/ksv106" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Kubernetes", + "Service": "general", + "StartLine": 201, + "EndLine": 235, + "Code": { + "Lines": [ + { + "Number": 201, + "Content": " - name: metrics", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 202, + "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 203, + "Content": " imagePullPolicy: \"IfNotPresent\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 204, + "Content": " env:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 205, + "Content": " - name: DATA_SOURCE_URI", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 206, + "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 207, + "Content": " - name: DATA_SOURCE_PASS", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 208, + "Content": " valueFrom:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 209, + "Content": " secretKeyRef:", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", + "FirstCause": false, + "LastCause": true + }, + { + "Number": 210, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": true, + "FirstCause": false, + "LastCause": false + } + ] + } + } + } + ] + }, + { + "Target": "vendor/github.com/argoproj/argo-workflows/v3/Dockerfile", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 25, + "Failures": 4, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS001", + "AVDID": "AVD-DS-0001", + "Title": "':latest' tag used", + "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", + "Message": "Specify a tag in the 'FROM' statement for image 'gcr.io/distroless/static'", + "Namespace": "builtin.dockerfile.DS001", + "Query": "data.builtin.dockerfile.DS001.deny", + "Resolution": "Add a tag to the image in the 'FROM' statement", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", + "References": [ + "https://avd.aquasec.com/misconfig/ds001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 95, + "EndLine": 95, + "Code": { + "Lines": [ + { + "Number": 95, + "Content": "FROM gcr.io/distroless/static as argoexec", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m gcr.io/distroless/static as argoexec", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS001", + "AVDID": "AVD-DS-0001", + "Title": "':latest' tag used", + "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", + "Message": "Specify a tag in the 'FROM' statement for image 'gcr.io/distroless/static'", + "Namespace": "builtin.dockerfile.DS001", + "Query": "data.builtin.dockerfile.DS001.deny", + "Resolution": "Add a tag to the image in the 'FROM' statement", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", + "References": [ + "https://avd.aquasec.com/misconfig/ds001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 108, + "EndLine": 108, + "Code": { + "Lines": [ + { + "Number": 108, + "Content": "FROM gcr.io/distroless/static as workflow-controller", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m gcr.io/distroless/static as workflow-controller", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS001", + "AVDID": "AVD-DS-0001", + "Title": "':latest' tag used", + "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", + "Message": "Specify a tag in the 'FROM' statement for image 'gcr.io/distroless/static'", + "Namespace": "builtin.dockerfile.DS001", + "Query": "data.builtin.dockerfile.DS001.deny", + "Resolution": "Add a tag to the image in the 'FROM' statement", + "Severity": "MEDIUM", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", + "References": [ + "https://avd.aquasec.com/misconfig/ds001" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 120, + "EndLine": 120, + "Code": { + "Lines": [ + { + "Number": 120, + "Content": "FROM gcr.io/distroless/static as argocli", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m gcr.io/distroless/static as argocli", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "vendor/github.com/argoproj/argo-workflows/v3/Dockerfile.windows", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 25, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS009", + "AVDID": "AVD-DS-0009", + "Title": "WORKDIR path not absolute", + "Description": "For clarity and reliability, you should always use absolute paths for your WORKDIR.", + "Message": "WORKDIR path 'C:/Users/ContainerAdministrator/go/src/github.com/argoproj/argo-workflows' should be absolute", + "Namespace": "builtin.dockerfile.DS009", + "Query": "data.builtin.dockerfile.DS009.deny", + "Resolution": "Use absolute paths for your WORKDIR", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds009", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir", + "https://avd.aquasec.com/misconfig/ds009" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "StartLine": 51, + "EndLine": 51, + "Code": { + "Lines": [ + { + "Number": 51, + "Content": "WORKDIR C:/Users/ContainerAdministrator/go/src/github.com/argoproj/argo-workflows", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "WORKDIR C:/Users/ContainerAdministrator/go/src/github.com/argoproj/argo-workflows", + "FirstCause": true, + "LastCause": true + } + ] + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "vendor/github.com/pjbgf/sha1cd/Dockerfile.arm", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 25, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64", + "Class": "config", + "Type": "dockerfile", + "MisconfSummary": { + "Successes": 25, + "Failures": 2, + "Exceptions": 0 + }, + "Misconfigurations": [ + { + "Type": "Dockerfile Security Check", + "ID": "DS002", + "AVDID": "AVD-DS-0002", + "Title": "Image user should not be 'root'", + "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", + "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", + "Namespace": "builtin.dockerfile.DS002", + "Query": "data.builtin.dockerfile.DS002.deny", + "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", + "Severity": "HIGH", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", + "References": [ + "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", + "https://avd.aquasec.com/misconfig/ds002" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } + } + ] + }, + { + "Target": "vendor/google.golang.org/api/iamcredentials/v1/iamcredentials-api.json", + "Class": "config", + "Type": "cloudformation", + "MisconfSummary": { + "Successes": 5, + "Failures": 0, + "Exceptions": 0 + } + }, + { + "Target": "localhost.key", + "Class": "secret", + "Secrets": [ + { + "RuleID": "private-key", + "Category": "AsymmetricPrivateKey", + "Severity": "HIGH", + "Title": "Asymmetric Private Key", + "StartLine": 1, + "EndLine": 1, + "Code": { + "Lines": [ + { + "Number": 1, + "Content": "-----BEGIN PRIVATE KEY-----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "-----BEGIN PRIVATE KEY-----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----", + "FirstCause": true, + "LastCause": true + }, + { + "Number": 2, + "Content": "", + "IsCause": false, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + } + ] + }, + "Match": "-----BEGIN PRIVATE KEY-----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY", + "Layer": {} + } + ] + }, + { + "Target": "OS Packages", + "Class": "license" + }, + { + "Target": "vendor/go.opentelemetry.io/otel/requirements.txt", + "Class": "license" + }, + { + "Target": "go.mod", + "Class": "license" + }, + { + "Target": "Loose File License(s)", + "Class": "license-file", + "Licenses": [ + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "scripts/casbin/1_insert.up.sql", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/genproto/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/genproto/googleapis/api/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/genproto/googleapis/rpc/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/protobuf/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/api/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/api/internal/third_party/uritemplates/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/grpc/NOTICE.txt", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/grpc/regenerate.sh", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/grpc/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/google.golang.org/appengine/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/storage/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/storage/emulator_test.sh", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/compute/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/compute/metadata/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/iam/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/cloud.google.com/go/internal/version/update_version.sh", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/yaml.v3/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/yaml.v3/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/go-playground/validator.v9/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/igm/sockjs-go.v3/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9906976744186047, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/inf.v0/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9906976744186047, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/jcmturner/aescts.v1/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/jcmturner/dnsutils.v1/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/jcmturner/gokrb5.v5/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/jcmturner/rpc.v0/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/square/go-jose.v2/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/square/go-jose.v2/json/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/warnings.v0/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 0.994535519125683, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/gopkg.in/yaml.v2/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opencensus.io/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.starlark.net/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/xorm.io/builder/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9953488372093023, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/xorm.io/core/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9953488372093023, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/otel/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/otel/metric/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/otel/sdk/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/otel/trace/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/otel/get_main_pkgs.sh", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/otel/verify_examples.sh", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.opentelemetry.io/proto/otlp/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/cli-runtime/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/kube-openapi/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/kube-openapi/pkg/validation/spec/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/utils/internal/third_party/forked/golang/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/utils/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/kubectl/pkg/util/i18n/translations/extract.py", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/kubectl/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/api/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/apimachinery/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/apimachinery/third_party/forked/golang/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/component-base/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/helm/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9968152866242038, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/kube-aggregator/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/kubernetes/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/apiserver/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/component-helpers/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/klog/v2/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9974522292993631, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/metrics/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/apiextensions-apiserver/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/client-go/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/k8s.io/client-go/third_party/forked/golang/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/term/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/text/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/time/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/crypto/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/mod/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/net/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/oauth2/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/xerrors/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/exp/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/sync/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/sys/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/golang.org/x/tools/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/mellium.im/sasl/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/oras.land/oras-go/v2/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/go-yaml/yaml/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/go-yaml/yaml/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/qri-io/starlib/util/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/kustomize/kyaml/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/kustomize/api/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/json/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/json/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/structured-merge-diff/v4/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/yaml/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/sigs.k8s.io/yaml/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/dario.cat/mergo/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.uber.org/atomic/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.uber.org/multierr/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/go.uber.org/zap/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/upper.io/db.v3/internal/cache/hashstructure/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/upper.io/db.v3/lib/reflectx/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/upper.io/db.v3/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/posthog/posthog-go/LICENSE.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/satori/go.uuid/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/cenkalti/backoff/v4/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/fatih/camelcase/LICENSE.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/xanzy/go-gitlab/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/xanzy/ssh-agent/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/caarlos0/env/LICENSE.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/caarlos0/env/v6/LICENSE.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gregjones/httpcache/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "HIGH", + "Category": "restricted", + "PkgName": "", + "FilePath": "vendor/github.com/juju/errors/LICENSE", + "Name": "LGPL-3.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/LGPL-3.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/monochromegane/go-gitignore/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/vmihailenco/go-tinylfu/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/vmihailenco/msgpack/v5/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 0.994535519125683, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/vmihailenco/tagparser/v2/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 0.994535519125683, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/bombsimon/logrusr/v2/LICENCE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/exponent-io/jsonpath/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/matttproud/golang_protobuf_extensions/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/apparentlymart/go-textseg/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/apparentlymart/go-textseg/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/apparentlymart/go-textseg/LICENSE", + "Name": "Unicode-DFS-2016", + "Confidence": 0.9498680738786279, + "Link": "https://spdx.org/licenses/Unicode-DFS-2016.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/apparentlymart/go-textseg/v13/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/apparentlymart/go-textseg/v13/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/apparentlymart/go-textseg/v13/LICENSE", + "Name": "Unicode-DFS-2016", + "Confidence": 0.9498680738786279, + "Link": "https://spdx.org/licenses/Unicode-DFS-2016.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/jcmturner/gofork/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/cespare/xxhash/v2/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/lib/pq/LICENSE.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/munnerz/goautoneg/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9767441860465116, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/munnerz/goautoneg/README.txt", + "Name": "BSD-3-Clause", + "Confidence": 0.9767441860465116, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/jmespath/go-jmespath/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Masterminds/goutils/LICENSE.txt", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Masterminds/semver/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Masterminds/semver/v3/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Masterminds/sprig/v3/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/pquerna/cachecontrol/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/sergi/go-diff/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/spf13/cast/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/spf13/cobra/LICENSE.txt", + "Name": "Apache-2.0", + "Confidence": 0.9964362081254454, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/spf13/pflag/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/chai2010/gettext-go/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/leodido/go-urn/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-playground/locales/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-playground/universal-translator/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/cyphar/filepath-securejoin/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-openapi/swag/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-openapi/jsonpointer/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-openapi/jsonreference/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/emirpasic/gods/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/emirpasic/gods/LICENSE", + "Name": "ISC", + "Confidence": 0.9568965517241379, + "Link": "https://spdx.org/licenses/ISC.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/klauspost/compress/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/klauspost/compress/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/klauspost/compress/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/klauspost/compress/s2/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/klauspost/pgzip/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/redis/go-redis/v9/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 0.994535519125683, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/xtgo/uuid/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/bradleyfalzon/ghinstallation/v2/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/emicklei/go-restful/v3/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/huandu/xstrings/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/russross/blackfriday/v2/LICENSE.txt", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-resty/resty/v2/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/patrickmn/go-cache/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/client_golang/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/client_model/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg/README.txt", + "Name": "BSD-3-Clause", + "Confidence": 0.9767441860465116, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/common/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/prometheus/procfs/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Pallinder/go-randomdata/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/ghodss/yaml/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/ghodss/yaml/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gogo/protobuf/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "", + "FilePath": "vendor/github.com/hashicorp/go-uuid/LICENSE", + "Name": "MPL-2.0", + "Confidence": 0.9947826086956522, + "Link": "https://spdx.org/licenses/MPL-2.0.html" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "", + "FilePath": "vendor/github.com/hashicorp/hcl2/LICENSE", + "Name": "MPL-2.0", + "Confidence": 0.9947826086956522, + "Link": "https://spdx.org/licenses/MPL-2.0.html" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "", + "FilePath": "vendor/github.com/hashicorp/errwrap/LICENSE", + "Name": "MPL-2.0", + "Confidence": 0.9947826086956522, + "Link": "https://spdx.org/licenses/MPL-2.0.html" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "", + "FilePath": "vendor/github.com/hashicorp/go-cleanhttp/LICENSE", + "Name": "MPL-2.0", + "Confidence": 0.9947826086956522, + "Link": "https://spdx.org/licenses/MPL-2.0.html" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "", + "FilePath": "vendor/github.com/hashicorp/go-multierror/LICENSE", + "Name": "MPL-2.0", + "Confidence": 0.9947826086956522, + "Link": "https://spdx.org/licenses/MPL-2.0.html" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "", + "FilePath": "vendor/github.com/hashicorp/go-retryablehttp/LICENSE", + "Name": "MPL-2.0", + "Confidence": 0.9947826086956522, + "Link": "https://spdx.org/licenses/MPL-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/imdario/mergo/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/jonboulle/clockwork/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/json-iterator/go/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/stretchr/objx/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/stretchr/testify/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/dgryski/go-rendezvous/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "MEDIUM", + "Category": "reciprocal", + "PkgName": "", + "FilePath": "vendor/github.com/go-sql-driver/mysql/LICENSE", + "Name": "MPL-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MPL-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/valyala/bytebufferpool/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/valyala/fasttemplate/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/moby/term/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/moby/spdystream/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/xeipuuv/gojsonschema/LICENSE-APACHE-2.0.txt", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/xeipuuv/gojsonpointer/LICENSE-APACHE-2.0.txt", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/xeipuuv/gojsonreference/LICENSE-APACHE-2.0.txt", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/golang/groupcache/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9974522292993631, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/golang/mock/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/golang/protobuf/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/mitchellh/copystructure/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/mitchellh/go-wordwrap/LICENSE.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/mitchellh/mapstructure/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/mitchellh/reflectwalk/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/golang-jwt/jwt/v4/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/pkg/errors/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/zclconf/go-cty/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/argoproj/argo-workflows/v3/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/argoproj/argo-cd/v2/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/argoproj/gitops-engine/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/argoproj/pkg/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/casbin/xorm-adapter/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/casbin/casbin/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/jbenet/go-context/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/kballard/go-shellquote/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gobwas/glob/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/nats-io/nats.go/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/nats-io/nkeys/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/nats-io/nuid/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/cloudflare/circl/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-redis/cache/v9/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 0.994535519125683, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/otiai10/copy/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-git/go-git/v5/oss-fuzz.sh", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-git/go-git/v5/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-git/gcfg/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9906976744186047, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-git/go-billy/v5/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/ProtonMail/go-crypto/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-pg/pg/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 0.994535519125683, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/colinmarc/hdfs/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/fvbommel/sortorder/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/opencontainers/go-digest/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/opencontainers/image-spec/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/blang/semver/v4/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/mailru/easyjson/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-logr/stdr/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-logr/logr/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/josharian/intern/license.md", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/mattn/go-ieproxy/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/pmezard/go-difflib/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.958139534883721, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/MakeNowJust/heredoc/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/deckarep/golang-set/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/peterbourgon/diskv/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/xlab/treeprint/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/yannh/kubeconform/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/agext/levenshtein/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/liggitt/tabwriter/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/oliveagle/jsonpath/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/shopspring/decimal/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/tidwall/gjson/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/tidwall/match/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/tidwall/pretty/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/tidwall/sjson/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/aws/aws-sdk-go-v2/service/ecr/LICENSE.txt", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/aws/aws-sdk-go/internal/sync/singleflight/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/aws/aws-sdk-go/LICENSE.txt", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/aws/smithy-go/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9964362081254454, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gorilla/schema/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gorilla/securecookie/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gorilla/sessions/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gorilla/websocket/LICENSE", + "Name": "BSD-2-Clause", + "Confidence": 1, + "Link": "https://spdx.org/licenses/BSD-2-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/gorilla/mux/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/btree/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/go-cmp/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/gofuzz/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/gnostic/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/go-github/v53/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/go-github/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/go-querystring/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/s2a-go/LICENSE.md", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/uuid/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9812206572769953, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/google/wire/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/jinzhu/inflection/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/bmatcuk/doublestar/v4/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/go-xorm/xorm/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9953488372093023, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/inconshreveable/mousetrap/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/sirupsen/logrus/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/felixge/httpsnoop/LICENSE.txt", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/grpc-ecosystem/go-grpc-middleware/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/grpc-ecosystem/go-grpc-prometheus/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/grpc-ecosystem/grpc-gateway/LICENSE.txt", + "Name": "BSD-3-Clause", + "Confidence": 0.9906976744186047, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/grpc-ecosystem/grpc-gateway/v2/LICENSE.txt", + "Name": "BSD-3-Clause", + "Confidence": 0.9906976744186047, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/ktrysmt/go-bitbucket/LICENSE", + "Name": "Apache-2.0", + "Confidence": 0.9961783439490446, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/modern-go/concurrent/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/modern-go/reflect2/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/pjbgf/sha1cd/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/doublerebel/bellows/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/beorn7/perks/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/devtron-labs/authenticator/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/devtron-labs/common-lib/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/devtron-labs/protos/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/azure-pipeline-go/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/azure-storage-blob-go/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/go-ansiterm/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/go-autorest/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/go-autorest/autorest/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/go-autorest/autorest/adal/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/go-autorest/autorest/date/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/go-autorest/logger/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Azure/go-autorest/tracing/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Knetic/govaluate/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/iancoleman/orderedmap/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/robfig/cron/v3/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/davecgh/go-spew/LICENSE", + "Name": "ISC", + "Confidence": 0.963302752293578, + "Link": "https://spdx.org/licenses/ISC.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/evanphx/json-patch/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9906976744186047, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/googleapis/gax-go/v2/LICENSE", + "Name": "BSD-3-Clause", + "Confidence": 0.9906976744186047, + "Link": "https://spdx.org/licenses/BSD-3-Clause.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/googleapis/enterprise-certificate-proxy/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/kevinburke/ssh_config/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/coreos/go-oidc/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/docker/distribution/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/antonmedv/expr/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/skeema/knownhosts/README.md", + "Name": "Apache-2.0", + "Confidence": 0.9285714285714286, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/skeema/knownhosts/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Microsoft/azure-devops-go-api/azuredevops/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "vendor/github.com/Microsoft/go-winio/LICENSE", + "Name": "MIT", + "Confidence": 1, + "Link": "https://spdx.org/licenses/MIT.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "manifests/LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + }, + { + "Severity": "LOW", + "Category": "notice", + "PkgName": "", + "FilePath": "LICENSE", + "Name": "Apache-2.0", + "Confidence": 1, + "Link": "https://spdx.org/licenses/Apache-2.0.html" + } + ] + } + ] +} diff --git a/scripts/sql/238_resource_scan.down.sql b/scripts/sql/238_resource_scan.down.sql new file mode 100644 index 0000000000..350fc2e26c --- /dev/null +++ b/scripts/sql/238_resource_scan.down.sql @@ -0,0 +1,5 @@ +ALTER TABLE public.scan_tool_execution_history_mapping DROP COLUMN IF EXISTS error_message; + +DELETE FROM public.scan_tool_step +WHERE scan_tool_id = 3 + AND index = 5; diff --git a/scripts/sql/238_resource_scan.up.sql b/scripts/sql/238_resource_scan.up.sql new file mode 100644 index 0000000000..41ef8dd8f5 --- /dev/null +++ b/scripts/sql/238_resource_scan.up.sql @@ -0,0 +1,2 @@ +ALTER TABLE public.scan_tool_execution_history_mapping ADD COLUMN IF NOT EXISTS error_message varchar NULL; +INSERT INTO public.scan_tool_step(scan_tool_id, index, step_execution_type, step_execution_sync, retry_count, execute_step_on_fail, execute_step_on_pass, render_input_data_from_step, http_input_payload, http_method_type, http_req_headers, http_query_params, cli_command, cli_output_type, deleted, created_on, created_by, updated_on, updated_by) VALUES (3,5,'CLI',true,1,-1,-1,-1,null,null,null,null,'trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}}', 'STATIC',false,now()::timestamp,'1',now()::timestamp,'1'); diff --git a/scripts/sql/239_code_image_scan.down.sql b/scripts/sql/239_code_image_scan.down.sql new file mode 100644 index 0000000000..688505423e --- /dev/null +++ b/scripts/sql/239_code_image_scan.down.sql @@ -0,0 +1,21 @@ + +DROP TABLE IF EXISTS "public"."resource_scan_execution_result"; + +DROP SEQUENCE IF EXISTS resource_scan_execution_result_id_seq; + +ALTER TABLE public.image_scan_execution_history DROP column IF EXISTS source_type; +ALTER TABLE public.image_scan_execution_history DROP column IF EXISTS source_sub_type; +ALTER TABLE public.image_scan_execution_history RENAME COLUMN source_metadata_json TO scan_event_json ; + +UPDATE scan_tool_step +SET cli_command = 'trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}} --username {{.USERNAME}} --password {{.PASSWORD}}' +WHERE scan_tool_id=3 and index=1 and step_execution_type='CLI'; +UPDATE scan_tool_step +SET cli_command = '(export AWS_ACCESS_KEY_ID={{.AWS_ACCESS_KEY_ID}} AWS_SECRET_ACCESS_KEY={{.AWS_SECRET_ACCESS_KEY}} AWS_DEFAULT_REGION={{.AWS_DEFAULT_REGION}}; trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}})' +WHERE scan_tool_id=3 and index=2 and step_execution_type='CLI'; +UPDATE scan_tool_step +SET cli_command = 'GOOGLE_APPLICATION_CREDENTIALS="{{.FILE_PATH}}/credentials.json" trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}}' +WHERE scan_tool_id=3 and index=3 and step_execution_type='CLI'; +UPDATE scan_tool_step +SET cli_command = 'trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}}' +WHERE scan_tool_id=3 and index=5 and step_execution_type='CLI'; \ No newline at end of file diff --git a/scripts/sql/239_code_image_scan.up.sql b/scripts/sql/239_code_image_scan.up.sql new file mode 100644 index 0000000000..144ac61ce4 --- /dev/null +++ b/scripts/sql/239_code_image_scan.up.sql @@ -0,0 +1,116 @@ + +CREATE SEQUENCE IF NOT EXISTS public.resource_scan_execution_result_id_seq; + +CREATE table if not exists public.resource_scan_execution_result ( + id integer DEFAULT nextval('public.resource_scan_execution_result_id_seq'::regclass) NOT NULL, + image_scan_execution_history_id integer NOT NULL, + scan_data_json text, + format integer, + types integer[], + scan_tool_id int, + PRIMARY KEY ("id"), + CONSTRAINT image_scan_execution_history_id_fkey + FOREIGN KEY("image_scan_execution_history_id") + REFERENCES"public"."image_scan_execution_history" ("id") + ); + +ALTER TABLE public.image_scan_execution_history ADD column IF NOT exists source_type integer NULL; +ALTER TABLE public.image_scan_execution_history ADD column IF NOT exists source_sub_type integer NULL; +ALTER TABLE public.image_scan_execution_history RENAME COLUMN scan_event_json TO source_metadata_json; + + +UPDATE scan_tool_step +SET cli_command = 'trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}} --username {{.USERNAME}} --password {{.PASSWORD}} {{.EXTRA_ARGS}}' +WHERE scan_tool_id=3 and index=1 and step_execution_type='CLI'; +UPDATE scan_tool_step +SET cli_command = '(export AWS_ACCESS_KEY_ID={{.AWS_ACCESS_KEY_ID}} AWS_SECRET_ACCESS_KEY={{.AWS_SECRET_ACCESS_KEY}} AWS_DEFAULT_REGION={{.AWS_DEFAULT_REGION}}; trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}} {{.EXTRA_ARGS}})' +WHERE scan_tool_id=3 and index=2 and step_execution_type='CLI'; +UPDATE scan_tool_step +SET cli_command = 'GOOGLE_APPLICATION_CREDENTIALS="{{.FILE_PATH}}/credentials.json" trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}} {{.EXTRA_ARGS}}' +WHERE scan_tool_id=3 and index=3 and step_execution_type='CLI'; +UPDATE scan_tool_step +SET cli_command = 'trivy image -f json -o {{.OUTPUT_FILE_PATH}} --timeout {{.timeout}} {{.IMAGE_NAME}} {{.EXTRA_ARGS}}' +WHERE scan_tool_id=3 and index=5 and step_execution_type='CLI'; + + +INSERT INTO plugin_metadata (id,name,description,type,icon,deleted,created_on,created_by,updated_on,updated_by) +VALUES (nextval('id_seq_plugin_metadata'),'Vulnerabilty_Scanner v1.0.0' , 'Checks code vulnerability types in the Post-CI stage','PRESET','https://raw.githubusercontent.com/devtron-labs/devtron/main/assets/devtron-logo-plugin.png',false,'now()',1,'now()',1); + + +INSERT INTO plugin_stage_mapping (id,plugin_id,stage_type,created_on,created_by,updated_on,updated_by)VALUES (nextval('id_seq_plugin_stage_mapping'), + (SELECT id from plugin_metadata where name='Vulnerabilty_Scanner v1.0.0'),1,'now()',1,'now()',1); + +INSERT INTO "plugin_pipeline_script" ("id", "script","type","deleted","created_on", "created_by", "updated_on", "updated_by") +VALUES ( nextval('id_seq_plugin_pipeline_script'), + E'#!/bin/bash + +json_data="$CI_CD_EVENT" +base_url="$IMAGE_SCANNER_ENDPOINT" + + +url="$base_url/scanner/image" + +ciProjectDetails=$(echo "$json_data" | jq -r \'.commonWorkflowRequest.ciProjectDetails\') +ciWorkflowId=$(echo "$json_data" | jq -r \'.workflowId\') +sourceType=2 +sourceSubType=1 + + +new_payload=$(cat < Date: Fri, 26 Apr 2024 15:48:02 +0530 Subject: [PATCH 2/2] incorporating feedbacks --- .../security/ImageScanHistoryRepository.go | 4 +- report.json | 109997 --------------- 2 files changed, 1 insertion(+), 110000 deletions(-) delete mode 100644 report.json diff --git a/internal/sql/repository/security/ImageScanHistoryRepository.go b/internal/sql/repository/security/ImageScanHistoryRepository.go index 19a473db9b..17a58864a3 100644 --- a/internal/sql/repository/security/ImageScanHistoryRepository.go +++ b/internal/sql/repository/security/ImageScanHistoryRepository.go @@ -31,11 +31,9 @@ type ImageScanExecutionHistory struct { ImageHash string `sql:"image_hash,notnull"` // TODO Migrate to request metadata ExecutionTime time.Time `sql:"execution_time"` ExecutedBy int `sql:"executed_by,notnull"` - SourceMetadataJson string `sql:"source_metadata_json"` // to have relevant info to process a scan for a given source type and subtype - ExecutionHistoryDirectoryPath string `sql:"execution_history_directory_path"` // Deprecated + SourceMetadataJson string `sql:"source_metadata_json"` // to have relevant info to process a scan for a given source type and subtype SourceType SourceType `sql:"source_type"` SourceSubType SourceSubType `sql:"source_sub_type"` - ResourceScanExecutionResult *ResourceScanExecutionResult ScanToolExecutionHistoryMapping *ScanToolExecutionHistoryMapping } diff --git a/report.json b/report.json deleted file mode 100644 index 9854f9ee57..0000000000 --- a/report.json +++ /dev/null @@ -1,109997 +0,0 @@ -2024-04-12T15:21:30.553Z INFO Need to update DB -2024-04-12T15:21:30.553Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db:2 -2024-04-12T15:21:30.553Z INFO Downloading DB... - -2024-04-12T15:21:36.966Z INFO Vulnerability scanning is enabled -2024-04-12T15:21:36.967Z INFO Misconfiguration scanning is enabled -2024-04-12T15:21:36.967Z INFO Need to update the built-in policies -2024-04-12T15:21:36.967Z INFO Downloading the built-in policies... - -2024-04-12T15:21:38.539Z INFO Secret scanning is enabled -2024-04-12T15:21:38.539Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning -2024-04-12T15:21:38.539Z INFO Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection -2024-04-12T15:21:38.539Z INFO Full license scanning is enabled -2024-04-12T15:24:10.354Z INFO Number of language-specific files: 2 -2024-04-12T15:24:10.360Z INFO Detecting pip vulnerabilities... -2024-04-12T15:24:10.363Z INFO Detecting gomod vulnerabilities... -2024-04-12T15:24:10.370Z INFO Detected config files: 100 -{ - "SchemaVersion": 2, - "CreatedAt": "2024-04-12T15:24:10.379305346Z", - "ArtifactName": "/data", - "ArtifactType": "filesystem", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, - "Results": [ - { - "Target": "go.mod", - "Class": "lang-pkgs", - "Type": "gomod", - "Vulnerabilities": [ - { - "VulnerabilityID": "CVE-2024-29893", - "PkgID": "github.com/argoproj/argo-cd/v2@v2.8.13", - "PkgName": "github.com/argoproj/argo-cd/v2", - "PkgIdentifier": { - "PURL": "pkg:golang/github.com/argoproj/argo-cd/v2@2.8.13" - }, - "InstalledVersion": "2.8.13", - "FixedVersion": "2.8.14, 2.9.10, 2.10.5", - "Status": "fixed", - "Layer": {}, - "SeveritySource": "ghsa", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-29893", - "DataSource": { - "ID": "ghsa", - "Name": "GitHub Security Advisory Go", - "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" - }, - "Title": "argo-cd: uncontrolled memory allocation vulnerability", - "Description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-400" - ], - "VendorSeverity": { - "bitnami": 2, - "ghsa": 2, - "redhat": 2 - }, - "CVSS": { - "bitnami": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 6.5 - }, - "ghsa": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 6.5 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "V3Score": 6.5 - } - }, - "References": [ - "https://access.redhat.com/security/cve/CVE-2024-29893", - "https://github.com/argoproj/argo-cd", - "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d", - "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59", - "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd", - "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3", - "https://nvd.nist.gov/vuln/detail/CVE-2024-29893", - "https://www.cve.org/CVERecord?id=CVE-2024-29893" - ], - "PublishedDate": "2024-03-29T15:15:12.74Z", - "LastModifiedDate": "2024-04-01T01:12:59.077Z" - } - ] - }, - { - "Target": "Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 23, - "Failures": 5, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS001", - "AVDID": "AVD-DS-0001", - "Title": "':latest' tag used", - "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", - "Message": "Specify a tag in the 'FROM' statement for image 'ubuntu'", - "Namespace": "builtin.dockerfile.DS001", - "Query": "data.builtin.dockerfile.DS001.deny", - "Resolution": "Add a tag to the image in the 'FROM' statement", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", - "References": [ - "https://avd.aquasec.com/misconfig/ds001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 12, - "EndLine": 12, - "Code": { - "Lines": [ - { - "Number": 12, - "Content": "FROM ubuntu as devtron-all", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m ubuntu as devtron-all", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS005", - "AVDID": "AVD-DS-0005", - "Title": "ADD instead of COPY", - "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", - "Message": "Consider using 'COPY . /go/src/github.com/devtron-labs/devtron/' command instead of 'ADD . /go/src/github.com/devtron-labs/devtron/'", - "Namespace": "builtin.dockerfile.DS005", - "Query": "data.builtin.dockerfile.DS005.deny", - "Resolution": "Use COPY instead of ADD", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", - "References": [ - "https://docs.docker.com/engine/reference/builder/#add", - "https://avd.aquasec.com/misconfig/ds005" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 8, - "EndLine": 8, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "ADD . /go/src/github.com/devtron-labs/devtron/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /go/src/github.com/devtron-labs/devtron/", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS017", - "AVDID": "AVD-DS-0017", - "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", - "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Namespace": "builtin.dockerfile.DS017", - "Query": "data.builtin.dockerfile.DS017.deny", - "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", - "https://avd.aquasec.com/misconfig/ds017" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 4, - "EndLine": 4, - "Code": { - "Lines": [ - { - "Number": 4, - "Content": "RUN apt update", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt update", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS017", - "AVDID": "AVD-DS-0017", - "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", - "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Namespace": "builtin.dockerfile.DS017", - "Query": "data.builtin.dockerfile.DS017.deny", - "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", - "https://avd.aquasec.com/misconfig/ds017" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 14, - "EndLine": 14, - "Code": { - "Lines": [ - { - "Number": 14, - "Content": "RUN apt update", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt update", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "charts/devtron/crds/crd-devtron.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "charts/devtron/templates/argocd-secret.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "charts/devtron/templates/rbac.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV044", - "AVDID": "AVD-KSV-0044", - "Title": "No wildcard verb and resource roles", - "Description": "Check whether role permits wildcard verb on wildcard resource", - "Message": "Role permits wildcard verb on wildcard resource", - "Namespace": "builtin.kubernetes.KSV044", - "Query": "data.builtin.kubernetes.KSV044.deny", - "Resolution": "Create a role which does not permit wildcard verb on wildcard resource", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv044", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv044" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 20, - "EndLine": 25, - "Code": { - "Lines": [ - { - "Number": 20, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 21, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 22, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 23, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 24, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 25, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV046", - "AVDID": "AVD-KSV-0046", - "Title": "Manage all resources", - "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", - "Message": "ClusterRole 'devtron' shouldn't manage all resources", - "Namespace": "builtin.kubernetes.KSV046", - "Query": "data.builtin.kubernetes.KSV046.deny", - "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv046" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 20, - "EndLine": 25, - "Code": { - "Lines": [ - { - "Number": 20, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 21, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 22, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 23, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 24, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 25, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "manifests/crds/crd-devtron.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/hyperion/dashboard.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 28, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'envoy' of Deployment 'dashboard' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'dashboard-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"SENTRY_ENV\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"dashboard\" of deployment \"dashboard\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 192, - "EndLine": 192, - "Code": { - "Lines": [ - { - "Number": 192, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"envoy\" of deployment \"dashboard\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 192, - "EndLine": 192, - "Code": { - "Lines": [ - { - "Number": 192, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 218, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 218, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 219, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 227, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 232, - "EndLine": 255, - "Code": { - "Lines": [ - { - "Number": 232, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 233, - "Content": " image: \"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:075cba2a-136-6172\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " containerPort: 80", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 241, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV117", - "AVDID": "AVD-KSV-0117", - "Title": "Prevent binding to privileged ports", - "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", - "Message": "deployment dashboard in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", - "Namespace": "builtin.kubernetes.KSV117", - "Query": "data.builtin.kubernetes.KSV117.deny", - "Resolution": "Do not map the container ports to privileged host ports when starting a container.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/", - "https://avd.aquasec.com/misconfig/ksv117" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 192, - "EndLine": 192, - "Code": { - "Lines": [ - { - "Number": 192, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "manifests/hyperion/devtron.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 14, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'devtron' of Deployment 'devtron' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'devtron-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"ACD_TIMEOUT\", \"ACD_USERNAME\", \"CACHE_LIMIT\", \"CD_NODE_TAINTS_KEY\", \"CExpirationTime\", \"CI_LOGS_KEY_PREFIX\", \"CI_NODE_TAINTS_KEY\", \"DEFAULT_ARTIFACT_KEY_LOCATION\", \"DEFAULT_BUILD_LOGS_KEY_PREFIX\", \"DEFAULT_CD_ARTIFACT_KEY_LOCATION\", \"DEFAULT_CD_TIMEOUT\", \"DEFAULT_TIMEOUT\", \"DEX_PORT\", \"GIT_SENSOR_TIMEOUT\", \"JwtExpirationTime\", \"LENS_TIMEOUT\", \"MODE\", \"PG_PORT\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 9, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"devtron\" of deployment \"devtron\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 128, - "EndLine": 128, - "Code": { - "Lines": [ - { - "Number": 128, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 180, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " image: \"quay.io/devtron/devtron:52693bde-146-6171\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:52693bde-146-6171\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/hyperion/migrator.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 140, - "Failures": 38, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV013", - "AVDID": "AVD-KSV-0013", - "Title": "Image tag \":latest\" used", - "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should specify an image tag", - "Namespace": "builtin.kubernetes.KSV013", - "Query": "data.builtin.kubernetes.KSV013.deny", - "Resolution": "Use a specific container image tag that is not 'latest'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", - "References": [ - "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "https://avd.aquasec.com/misconfig/ksv013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"devtron-rollout\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 39, - "EndLine": 39, - "Code": { - "Lines": [ - { - "Number": 39, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-casbin\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 39, - "EndLine": 39, - "Code": { - "Lines": [ - { - "Number": 39, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-devtron\" of job \"postgresql-migrate-devtron\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 53, - "EndLine": 82, - "Code": { - "Lines": [ - { - "Number": 53, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 54, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 62, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 49, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 49, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 50, - "Content": " image: quay.io/bitnami/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 35, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 11, - "Content": " image: quay.io/devtron/migrator:6687f572-133-2208", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:6687f572-133-2208", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 19, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/hyperion/postgresql.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 41, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV013", - "AVDID": "AVD-KSV-0013", - "Title": "Image tag \":latest\" used", - "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should specify an image tag", - "Namespace": "builtin.kubernetes.KSV013", - "Query": "data.builtin.kubernetes.KSV013.deny", - "Resolution": "Use a specific container image tag that is not 'latest'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", - "References": [ - "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "https://avd.aquasec.com/misconfig/ksv013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"init-chmod-data\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 90, - "EndLine": 90, - "Code": { - "Lines": [ - { - "Number": 90, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"metrics\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 90, - "EndLine": 90, - "Code": { - "Lines": [ - { - "Number": 90, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-postgresql\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 90, - "EndLine": 90, - "Code": { - "Lines": [ - { - "Number": 90, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV105", - "AVDID": "AVD-KSV-0105", - "Title": "Containers must not set runAsUser to 0", - "Description": "Containers should be forbidden from running with a root UID.", - "Message": "securityContext.runAsUser should be set to a value greater than 0", - "Namespace": "builtin.kubernetes.KSV105", - "Query": "data.builtin.kubernetes.KSV105.deny", - "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv105" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 136, - "EndLine": 136, - "Code": { - "Lines": [ - { - "Number": 136, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/bitnami/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/bitnami/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/bitnami/postgresql:11.3.0-debian-9-r28", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 210, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 210, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 211, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 212, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 213, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 219, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/install/devtron-installer.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/install/devtron-operator-configs.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 1, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'devtron-operator-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\"BLOB_STORAGE_PROVIDER\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 15, - "EndLine": 15, - "Code": { - "Lines": [ - { - "Number": 15, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "manifests/install/install.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 14, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'inception' of Deployment 'inception' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'inception' of Deployment 'inception' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'inception' of Deployment 'inception' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'inception' of Deployment 'inception' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'inception' of Deployment 'inception' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'inception' of Deployment 'inception' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"inception\" of deployment \"inception\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 56, - "EndLine": 56, - "Code": { - "Lines": [ - { - "Number": 56, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 81, - "EndLine": 88, - "Code": { - "Lines": [ - { - "Number": 81, - "Content": " image: quay.io/devtron/inception:473deaa4-185-21582", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/inception:473deaa4-185-21582", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 82, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " name: inception", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: inception", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " -", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " -", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV111", - "AVDID": "AVD-KSV-0111", - "Title": "User with admin access", - "Description": "Either cluster-admin or those granted powerful permissions.", - "Message": "ClusterRoleBinding 'installer' should not bind to roles [\"cluster-admin\", \"admin\", \"edit\"]", - "Namespace": "builtin.kubernetes.KSV111", - "Query": "data.builtin.kubernetes.KSV111.deny", - "Resolution": "Remove binding for clusterrole 'cluster-admin', 'admin' or 'edit'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv111", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv111" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": " name: installer", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: installer", - "FirstCause": true, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "manifests/updates/devtron-clair-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-dashboard-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-external-secret-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-grafana-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-guard-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-kubewatch-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-nats-operator-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-nats-server-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-nats-streaming-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-override-cm.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 151, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'devtron-override-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\" CD_NODE_TAINTS_KEY\", \" CI_NODE_TAINTS_KEY\", \"# GRAFANA_USERNAME\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-0109", - "AVDID": "AVD-KSV-0109", - "Title": "ConfigMap with secrets", - "Description": "Storing secrets in configMaps is unsafe", - "Message": "ConfigMap 'devtron-override-cm' in 'devtroncd' namespace stores secrets in key(s) or value(s) '{\"# GRAFANA_PASSWORD\"}'", - "Namespace": "builtin.kubernetes.KSV0109", - "Query": "data.builtin.kubernetes.KSV0109.deny", - "Resolution": "Remove password/secret from configMap data value", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-0109" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "manifests/updates/devtron-postgresql-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-rollout-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/devtron-workflow-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-argocd-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-clair-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-dashboard-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-external-secret-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-gitsensor-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-grafana-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-guard-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-image-scanner-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-ingress-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-kubelink-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-kubewatch-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-lens-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-minio-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 151, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'minio-override-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\"# accesskey\", \"# secretkey\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-0109", - "AVDID": "AVD-KSV-0109", - "Title": "ConfigMap with secrets", - "Description": "Storing secrets in configMaps is unsafe", - "Message": "ConfigMap 'minio-override-cm' in 'devtroncd' namespace stores secrets in key(s) or value(s) '{\"# secretkey\"}'", - "Namespace": "builtin.kubernetes.KSV0109", - "Query": "data.builtin.kubernetes.KSV0109.deny", - "Resolution": "Remove password/secret from configMap data value", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-0109" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "manifests/updates/production/devtron-minio-storage-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 151, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'minio-storage-override-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\"# accesskey\", \"# secretkey\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-0109", - "AVDID": "AVD-KSV-0109", - "Title": "ConfigMap with secrets", - "Description": "Storing secrets in configMaps is unsafe", - "Message": "ConfigMap 'minio-storage-override-cm' in 'devtroncd' namespace stores secrets in key(s) or value(s) '{\"# secretkey\"}'", - "Namespace": "builtin.kubernetes.KSV0109", - "Query": "data.builtin.kubernetes.KSV0109.deny", - "Resolution": "Remove password/secret from configMap data value", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-0109" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "manifests/updates/production/devtron-nats-operator-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-nats-server-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-nats-streaming-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-notifier-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-override-cm.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 151, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'devtron-override-cm' in 'devtroncd' namespace stores sensitive contents in key(s) or value(s) '{\" CD_NODE_TAINTS_KEY\", \" CI_NODE_TAINTS_KEY\", \"# GRAFANA_USERNAME\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-0109", - "AVDID": "AVD-KSV-0109", - "Title": "ConfigMap with secrets", - "Description": "Storing secrets in configMaps is unsafe", - "Message": "ConfigMap 'devtron-override-cm' in 'devtroncd' namespace stores secrets in key(s) or value(s) '{\"# GRAFANA_PASSWORD\"}'", - "Namespace": "builtin.kubernetes.KSV0109", - "Query": "data.builtin.kubernetes.KSV0109.deny", - "Resolution": "Remove password/secret from configMap data value", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-0109" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "manifests/updates/production/devtron-postgresql-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-rollout-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/updates/production/devtron-workflow-override.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/yamls/argocd.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 81, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'dex' of Deployment 'argocd-dex-server' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3567, - "EndLine": 3699, - "Code": { - "Lines": [ - { - "Number": 3567, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3568, - "Content": " - argocd-application-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-application-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3569, - "Content": " - --operation-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --operation-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3570, - "Content": " - \"25\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"25\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3571, - "Content": " - --status-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --status-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3572, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3573, - "Content": " - --kubectl-parallelism-limit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3574, - "Content": " - \"35\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"35\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3575, - "Content": " - --repo-server-timeout-seconds", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3576, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3108, - "EndLine": 3240, - "Code": { - "Lines": [ - { - "Number": 3108, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3109, - "Content": " - entrypoint.sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - entrypoint.sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3110, - "Content": " - argocd-repo-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-repo-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3111, - "Content": " - --redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3112, - "Content": " - argocd-redis:6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-redis:6379", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3113, - "Content": " - --repo-cache-expiration", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --repo-cache-expiration", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3114, - "Content": " - 24h", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - 24h", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3115, - "Content": " - --parallelismlimit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --parallelismlimit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3116, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3117, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3317, - "EndLine": 3505, - "Code": { - "Lines": [ - { - "Number": 3317, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3318, - "Content": " - argocd-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3319, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3320, - "Content": " - name: ARGOCD_SERVER_INSECURE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3321, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3322, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3323, - "Content": " key: server.insecure", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3324, - "Content": " name: argocd-cmd-params-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3325, - "Content": " optional: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3326, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3567, - "EndLine": 3699, - "Code": { - "Lines": [ - { - "Number": 3567, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3568, - "Content": " - argocd-application-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-application-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3569, - "Content": " - --operation-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --operation-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3570, - "Content": " - \"25\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"25\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3571, - "Content": " - --status-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --status-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3572, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3573, - "Content": " - --kubectl-parallelism-limit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3574, - "Content": " - \"35\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"35\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3575, - "Content": " - --repo-server-timeout-seconds", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3576, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3108, - "EndLine": 3240, - "Code": { - "Lines": [ - { - "Number": 3108, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3109, - "Content": " - entrypoint.sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - entrypoint.sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3110, - "Content": " - argocd-repo-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-repo-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3111, - "Content": " - --redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3112, - "Content": " - argocd-redis:6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-redis:6379", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3113, - "Content": " - --repo-cache-expiration", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --repo-cache-expiration", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3114, - "Content": " - 24h", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - 24h", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3115, - "Content": " - --parallelismlimit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --parallelismlimit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3116, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3117, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3317, - "EndLine": 3505, - "Code": { - "Lines": [ - { - "Number": 3317, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3318, - "Content": " - argocd-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3319, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3320, - "Content": " - name: ARGOCD_SERVER_INSECURE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3321, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3322, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3323, - "Content": " key: server.insecure", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3324, - "Content": " name: argocd-cmd-params-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3325, - "Content": " optional: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3326, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3567, - "EndLine": 3699, - "Code": { - "Lines": [ - { - "Number": 3567, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3568, - "Content": " - argocd-application-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-application-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3569, - "Content": " - --operation-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --operation-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3570, - "Content": " - \"25\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"25\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3571, - "Content": " - --status-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --status-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3572, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3573, - "Content": " - --kubectl-parallelism-limit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3574, - "Content": " - \"35\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"35\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3575, - "Content": " - --repo-server-timeout-seconds", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3576, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3108, - "EndLine": 3240, - "Code": { - "Lines": [ - { - "Number": 3108, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3109, - "Content": " - entrypoint.sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - entrypoint.sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3110, - "Content": " - argocd-repo-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-repo-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3111, - "Content": " - --redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3112, - "Content": " - argocd-redis:6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-redis:6379", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3113, - "Content": " - --repo-cache-expiration", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --repo-cache-expiration", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3114, - "Content": " - 24h", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - 24h", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3115, - "Content": " - --parallelismlimit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --parallelismlimit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3116, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3117, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3317, - "EndLine": 3505, - "Code": { - "Lines": [ - { - "Number": 3317, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3318, - "Content": " - argocd-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3319, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3320, - "Content": " - name: ARGOCD_SERVER_INSECURE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3321, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3322, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3323, - "Content": " key: server.insecure", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3324, - "Content": " name: argocd-cmd-params-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3325, - "Content": " optional: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3326, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3567, - "EndLine": 3699, - "Code": { - "Lines": [ - { - "Number": 3567, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3568, - "Content": " - argocd-application-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-application-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3569, - "Content": " - --operation-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --operation-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3570, - "Content": " - \"25\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"25\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3571, - "Content": " - --status-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --status-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3572, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3573, - "Content": " - --kubectl-parallelism-limit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3574, - "Content": " - \"35\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"35\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3575, - "Content": " - --repo-server-timeout-seconds", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3576, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3108, - "EndLine": 3240, - "Code": { - "Lines": [ - { - "Number": 3108, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3109, - "Content": " - entrypoint.sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - entrypoint.sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3110, - "Content": " - argocd-repo-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-repo-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3111, - "Content": " - --redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3112, - "Content": " - argocd-redis:6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-redis:6379", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3113, - "Content": " - --repo-cache-expiration", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --repo-cache-expiration", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3114, - "Content": " - 24h", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - 24h", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3115, - "Content": " - --parallelismlimit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --parallelismlimit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3116, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3117, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3317, - "EndLine": 3505, - "Code": { - "Lines": [ - { - "Number": 3317, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3318, - "Content": " - argocd-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3319, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3320, - "Content": " - name: ARGOCD_SERVER_INSECURE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3321, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3322, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3323, - "Content": " key: server.insecure", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3324, - "Content": " name: argocd-cmd-params-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3325, - "Content": " optional: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3326, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3567, - "EndLine": 3699, - "Code": { - "Lines": [ - { - "Number": 3567, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3568, - "Content": " - argocd-application-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-application-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3569, - "Content": " - --operation-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --operation-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3570, - "Content": " - \"25\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"25\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3571, - "Content": " - --status-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --status-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3572, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3573, - "Content": " - --kubectl-parallelism-limit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3574, - "Content": " - \"35\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"35\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3575, - "Content": " - --repo-server-timeout-seconds", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3576, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3108, - "EndLine": 3240, - "Code": { - "Lines": [ - { - "Number": 3108, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3109, - "Content": " - entrypoint.sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - entrypoint.sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3110, - "Content": " - argocd-repo-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-repo-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3111, - "Content": " - --redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3112, - "Content": " - argocd-redis:6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-redis:6379", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3113, - "Content": " - --repo-cache-expiration", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --repo-cache-expiration", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3114, - "Content": " - 24h", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - 24h", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3115, - "Content": " - --parallelismlimit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --parallelismlimit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3116, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3117, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3317, - "EndLine": 3505, - "Code": { - "Lines": [ - { - "Number": 3317, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3318, - "Content": " - argocd-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3319, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3320, - "Content": " - name: ARGOCD_SERVER_INSECURE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3321, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3322, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3323, - "Content": " key: server.insecure", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3324, - "Content": " name: argocd-cmd-params-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3325, - "Content": " optional: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3326, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'argocd-application-controller' of StatefulSet 'argocd-application-controller' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3567, - "EndLine": 3699, - "Code": { - "Lines": [ - { - "Number": 3567, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3568, - "Content": " - argocd-application-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-application-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3569, - "Content": " - --operation-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --operation-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3570, - "Content": " - \"25\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"25\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3571, - "Content": " - --status-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --status-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3572, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3573, - "Content": " - --kubectl-parallelism-limit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3574, - "Content": " - \"35\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"35\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3575, - "Content": " - --repo-server-timeout-seconds", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3576, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'argocd-repo-server' of Deployment 'argocd-repo-server' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3108, - "EndLine": 3240, - "Code": { - "Lines": [ - { - "Number": 3108, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3109, - "Content": " - entrypoint.sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - entrypoint.sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3110, - "Content": " - argocd-repo-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-repo-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3111, - "Content": " - --redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3112, - "Content": " - argocd-redis:6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-redis:6379", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3113, - "Content": " - --repo-cache-expiration", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --repo-cache-expiration", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3114, - "Content": " - 24h", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - 24h", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3115, - "Content": " - --parallelismlimit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --parallelismlimit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3116, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3117, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'argocd-server' of Deployment 'argocd-server' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3317, - "EndLine": 3505, - "Code": { - "Lines": [ - { - "Number": 3317, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3318, - "Content": " - argocd-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3319, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3320, - "Content": " - name: ARGOCD_SERVER_INSECURE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3321, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3322, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3323, - "Content": " key: server.insecure", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3324, - "Content": " name: argocd-cmd-params-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3325, - "Content": " optional: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3326, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'copyutil' of Deployment 'argocd-dex-server' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'copyutil' of Deployment 'argocd-repo-server' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'dex' of Deployment 'argocd-dex-server' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'redis' of Deployment 'argocd-redis' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3108, - "EndLine": 3240, - "Code": { - "Lines": [ - { - "Number": 3108, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3109, - "Content": " - entrypoint.sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - entrypoint.sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3110, - "Content": " - argocd-repo-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-repo-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3111, - "Content": " - --redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3112, - "Content": " - argocd-redis:6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-redis:6379", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3113, - "Content": " - --repo-cache-expiration", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --repo-cache-expiration", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3114, - "Content": " - 24h", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - 24h", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3115, - "Content": " - --parallelismlimit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --parallelismlimit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3116, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3117, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3317, - "EndLine": 3505, - "Code": { - "Lines": [ - { - "Number": 3317, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3318, - "Content": " - argocd-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3319, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3320, - "Content": " - name: ARGOCD_SERVER_INSECURE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: ARGOCD_SERVER_INSECURE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3321, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3322, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3323, - "Content": " key: server.insecure", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: server.insecure", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3324, - "Content": " name: argocd-cmd-params-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argocd-cmd-params-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3325, - "Content": " optional: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33moptional\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3326, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3567, - "EndLine": 3699, - "Code": { - "Lines": [ - { - "Number": 3567, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3568, - "Content": " - argocd-application-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - argocd-application-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3569, - "Content": " - --operation-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --operation-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3570, - "Content": " - \"25\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"25\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3571, - "Content": " - --status-processors", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --status-processors", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3572, - "Content": " - \"50\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"50\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3573, - "Content": " - --kubectl-parallelism-limit", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --kubectl-parallelism-limit", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3574, - "Content": " - \"35\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"35\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3575, - "Content": " - --repo-server-timeout-seconds", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --repo-server-timeout-seconds", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3576, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV044", - "AVDID": "AVD-KSV-0044", - "Title": "No wildcard verb and resource roles", - "Description": "Check whether role permits wildcard verb on wildcard resource", - "Message": "Role permits wildcard verb on wildcard resource", - "Namespace": "builtin.kubernetes.KSV044", - "Query": "data.builtin.kubernetes.KSV044.deny", - "Resolution": "Create a role which does not permit wildcard verb on wildcard resource", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv044", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv044" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2633, - "EndLine": 2638, - "Code": { - "Lines": [ - { - "Number": 2633, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2634, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2635, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2636, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2637, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2638, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV046", - "AVDID": "AVD-KSV-0046", - "Title": "Manage all resources", - "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", - "Message": "ClusterRole 'argocd-application-controller' shouldn't manage all resources", - "Namespace": "builtin.kubernetes.KSV046", - "Query": "data.builtin.kubernetes.KSV046.deny", - "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv046" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2633, - "EndLine": 2638, - "Code": { - "Lines": [ - { - "Number": 2633, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2634, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2635, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2636, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2637, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2638, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV046", - "AVDID": "AVD-KSV-0046", - "Title": "Manage all resources", - "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", - "Message": "ClusterRole 'argocd-server' shouldn't manage all resources", - "Namespace": "builtin.kubernetes.KSV046", - "Query": "data.builtin.kubernetes.KSV046.deny", - "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv046" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2653, - "EndLine": 2660, - "Code": { - "Lines": [ - { - "Number": 2653, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2654, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2655, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2656, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2657, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2658, - "Content": " - delete", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - delete", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2659, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2660, - "Content": " - patch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - patch", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV049", - "AVDID": "AVD-KSV-0049", - "Title": "Manage configmaps", - "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "Message": "Role 'argocd-dex-server' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV049", - "Query": "data.builtin.kubernetes.KSV049.deny", - "Resolution": "Remove write permission verbs for resource 'configmaps'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv049" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2550, - "EndLine": 2561, - "Code": { - "Lines": [ - { - "Number": 2550, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2551, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2552, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2553, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2554, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2555, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2556, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2557, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2558, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2559, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV049", - "AVDID": "AVD-KSV-0049", - "Title": "Manage configmaps", - "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "Message": "Role 'argocd-server' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV049", - "Query": "data.builtin.kubernetes.KSV049.deny", - "Resolution": "Remove write permission verbs for resource 'configmaps'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv049" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2590, - "EndLine": 2602, - "Code": { - "Lines": [ - { - "Number": 2590, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2591, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2592, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2593, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2594, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2595, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2596, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2597, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2598, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2599, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'argocd-ssh-known-hosts-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2804, - "EndLine": 2804, - "Code": { - "Lines": [ - { - "Number": 2804, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"argocd-application-controller\" of statefulset \"argocd-application-controller\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3531, - "EndLine": 3531, - "Code": { - "Lines": [ - { - "Number": 3531, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"argocd-repo-server\" of deployment \"argocd-repo-server\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3073, - "EndLine": 3073, - "Code": { - "Lines": [ - { - "Number": 3073, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"argocd-server\" of deployment \"argocd-server\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3283, - "EndLine": 3283, - "Code": { - "Lines": [ - { - "Number": 3283, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"copyutil\" of deployment \"argocd-dex-server\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2958, - "EndLine": 2958, - "Code": { - "Lines": [ - { - "Number": 2958, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"copyutil\" of deployment \"argocd-repo-server\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3073, - "EndLine": 3073, - "Code": { - "Lines": [ - { - "Number": 3073, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"dex\" of deployment \"argocd-dex-server\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2958, - "EndLine": 2958, - "Code": { - "Lines": [ - { - "Number": 2958, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"redis\" of deployment \"argocd-redis\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3025, - "EndLine": 3025, - "Code": { - "Lines": [ - { - "Number": 3025, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2986, - "EndLine": 3004, - "Code": { - "Lines": [ - { - "Number": 2986, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2987, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2988, - "Content": " - rundex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - rundex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2989, - "Content": " image: ghcr.io/dexidp/dex:v2.30.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: ghcr.io/dexidp/dex:v2.30.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2990, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2991, - "Content": " name: dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2992, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2993, - "Content": " - containerPort: 5556", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5556", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2994, - "Content": " - containerPort: 5557", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m5557", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2995, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3006, - "EndLine": 3018, - "Code": { - "Lines": [ - { - "Number": 3006, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3007, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3008, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3009, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3010, - "Content": " - /shared/argocd-dex", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /shared/argocd-dex", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3011, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3012, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3013, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3014, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 3015, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3059, - "EndLine": 3068, - "Code": { - "Lines": [ - { - "Number": 3059, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3060, - "Content": " - --save", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --save", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3061, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3062, - "Content": " - --appendonly", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - --appendonly", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3063, - "Content": " - \"no\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"no\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3064, - "Content": " image: redis:6.2.6-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimage\u001b[0m: redis:6.2.6-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3065, - "Content": " imagePullPolicy: Always", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: Always", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3066, - "Content": " name: redis", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: redis", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3067, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3068, - "Content": " - containerPort: 6379", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m6379", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 3242, - "EndLine": 3251, - "Code": { - "Lines": [ - { - "Number": 3242, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 3243, - "Content": " - cp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - cp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3244, - "Content": " - -n", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -\u001b[38;5;166mn", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3245, - "Content": " - /usr/local/bin/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - /usr/local/bin/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3246, - "Content": " - /var/run/argocd/argocd-cmp-server", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /var/run/argocd/argocd-cmp-server", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3247, - "Content": " image: quay.io/argoproj/argocd:v2.4.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/argoproj/argocd:v2.4.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3248, - "Content": " name: copyutil", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: copyutil", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3249, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3250, - "Content": " - mountPath: /var/run/argocd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /var/run/argocd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 3251, - "Content": " name: var-files", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: var-files", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV113", - "AVDID": "AVD-KSV-0113", - "Title": "Manage namespace secrets", - "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", - "Message": "Role 'argocd-application-controller' shouldn't have access to manage secrets in namespace 'default'", - "Namespace": "builtin.kubernetes.KSV113", - "Query": "data.builtin.kubernetes.KSV113.deny", - "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv113" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2511, - "EndLine": 2519, - "Code": { - "Lines": [ - { - "Number": 2511, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2512, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2513, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2514, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2515, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2516, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2517, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2518, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2519, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV113", - "AVDID": "AVD-KSV-0113", - "Title": "Manage namespace secrets", - "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", - "Message": "Role 'argocd-dex-server' shouldn't have access to manage secrets in namespace 'default'", - "Namespace": "builtin.kubernetes.KSV113", - "Query": "data.builtin.kubernetes.KSV113.deny", - "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv113" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2550, - "EndLine": 2561, - "Code": { - "Lines": [ - { - "Number": 2550, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2551, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2552, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2553, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2554, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2555, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2556, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2557, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2558, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2559, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV113", - "AVDID": "AVD-KSV-0113", - "Title": "Manage namespace secrets", - "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", - "Message": "Role 'argocd-server' shouldn't have access to manage secrets in namespace 'default'", - "Namespace": "builtin.kubernetes.KSV113", - "Query": "data.builtin.kubernetes.KSV113.deny", - "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv113" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 2590, - "EndLine": 2602, - "Code": { - "Lines": [ - { - "Number": 2590, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 2591, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2592, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2593, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2594, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2595, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2596, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2597, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 2598, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 2599, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/clair.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 26, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'clair' of Deployment 'clair' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'clair' of Deployment 'clair' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'clair' of Deployment 'clair' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'clair' of Deployment 'clair' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'clair' of Deployment 'clair' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'clair' of Deployment 'clair' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'pg-ready-wait' of Deployment 'clair' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"clair\" of deployment \"clair\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 37, - "EndLine": 37, - "Code": { - "Lines": [ - { - "Number": 37, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"pg-ready-wait\" of deployment \"clair\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 37, - "EndLine": 37, - "Code": { - "Lines": [ - { - "Number": 37, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 62, - "EndLine": 65, - "Code": { - "Lines": [ - { - "Number": 62, - "Content": " - name: pg-ready-wait", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: pg-ready-wait", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 63, - "Content": " image: \"quay.io/devtron/postgres:11.3\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/postgres:11.3\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " command: [ \"sh\", \"-c\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"sh\"\u001b[0m, \u001b[38;5;37m\"-c\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " \"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"until pg_isready -h postgresql-postgresql.devtroncd -p 5432;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 94, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33menv\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " - name: CLAIR_CONF", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_CONF", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " value: /etc/clair/config.yaml", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: /etc/clair/config.yaml", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " - name: CLAIR_MODE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CLAIR_MODE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " value: combo", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: combo", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " name: clair", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: clair", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/coreos/clair:v4.3.6\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/coreos/clair:v4.3.6\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/dashboard.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 25, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'envoy' of Deployment 'dashboard' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'dashboard' of Deployment 'dashboard' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'envoy' of Deployment 'dashboard' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'dashboard-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"SENTRY_ENV\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 10, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"dashboard\" of deployment \"dashboard\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 193, - "EndLine": 193, - "Code": { - "Lines": [ - { - "Number": 193, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"envoy\" of deployment \"dashboard\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 193, - "EndLine": 193, - "Code": { - "Lines": [ - { - "Number": 193, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 237, - "EndLine": 264, - "Code": { - "Lines": [ - { - "Number": 237, - "Content": " - name: dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 238, - "Content": " image: \"quay.io/devtron/dashboard:9429b066-325-21529\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/dashboard:9429b066-325-21529\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 239, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 240, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 241, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 246, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 223, - "EndLine": 236, - "Code": { - "Lines": [ - { - "Number": 223, - "Content": " - name: envoy", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: envoy", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 224, - "Content": " image: \"quay.io/devtron/envoy:v1.14.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/envoy:v1.14.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " - containerPort: 9901", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m9901", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " name: envoy-admin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: envoy-admin", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 230, - "Content": " containerPort: 8790", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8790", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 231, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 232, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/devtron-housekeeping.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 10, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV013", - "AVDID": "AVD-KSV-0013", - "Title": "Image tag \":latest\" used", - "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", - "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should specify an image tag", - "Namespace": "builtin.kubernetes.KSV013", - "Query": "data.builtin.kubernetes.KSV013.deny", - "Resolution": "Use a specific container image tag that is not 'latest'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", - "References": [ - "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "https://avd.aquasec.com/misconfig/ksv013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron-housekeeping' of Job 'devtron-housekeeping' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"devtron-housekeeping\" of job \"devtron-housekeeping\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 122, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 132, - "EndLine": 151, - "Code": { - "Lines": [ - { - "Number": 132, - "Content": " - name: devtron-housekeeping", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-housekeeping", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 133, - "Content": " image: quay.io/devtron/kubectl:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/kubectl:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " command: ['sh', '-c', 'sh /apply-labels.sh; exit 0']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'sh /apply-labels.sh; exit 0'\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " - name: RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: RELEASE_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " configMapKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mconfigMapKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " name: devtron-operator-cm", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: devtron-operator-cm", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " key: DEVTRON_HELM_RELEASE_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: DEVTRON_HELM_RELEASE_NAME", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 141, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/devtron-ingress-legacy.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/yamls/devtron-ingress.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/yamls/devtron.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 13, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'devtron' of Deployment 'devtron' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron' of Deployment 'devtron' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'devtron-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"ACD_TIMEOUT\", \"ACD_USERNAME\", \"CACHE_LIMIT\", \"CD_NODE_TAINTS_KEY\", \"CExpirationTime\", \"CI_LOGS_KEY_PREFIX\", \"CI_NODE_TAINTS_KEY\", \"DEFAULT_ARTIFACT_KEY_LOCATION\", \"DEFAULT_BUILD_LOGS_KEY_PREFIX\", \"DEFAULT_CD_ARTIFACT_KEY_LOCATION\", \"DEFAULT_CD_TIMEOUT\", \"DEFAULT_TIMEOUT\", \"DEX_PORT\", \"ENFORCER_CACHE_EXPIRATION_IN_SEC\", \"GIT_SENSOR_PROTOCOL\", \"GIT_SENSOR_TIMEOUT\", \"JwtExpirationTime\", \"LENS_TIMEOUT\", \"MODE\", \"PG_PORT\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 9, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"devtron\" of deployment \"devtron\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 140, - "EndLine": 140, - "Code": { - "Lines": [ - { - "Number": 140, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 212, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: \"quay.io/devtron/devtron:ca439071-434-21597\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/devtron:ca439071-434-21597\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " lifecycle:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mlifecycle\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " preStop:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mpreStop\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-0109", - "AVDID": "AVD-KSV-0109", - "Title": "ConfigMap with secrets", - "Description": "Storing secrets in configMaps is unsafe", - "Message": "ConfigMap 'devtron-cm' in 'default' namespace stores secrets in key(s) or value(s) '{\"DEVTRON_SECRET_NAME\"}'", - "Namespace": "builtin.kubernetes.KSV0109", - "Query": "data.builtin.kubernetes.KSV0109.deny", - "Resolution": "Remove password/secret from configMap data value", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-0109" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 9, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/external-secret.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 13, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'kubernetes-external-secrets' of Deployment 'devtron-kubernetes-external-secrets' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV041", - "AVDID": "AVD-KSV-0041", - "Title": "Manage secrets", - "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", - "Message": "ClusterRole 'devtron-kubernetes-external-secrets' shouldn't have access to manage resource 'secrets'", - "Namespace": "builtin.kubernetes.KSV041", - "Query": "data.builtin.kubernetes.KSV041.deny", - "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv041" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 275, - "EndLine": 277, - "Code": { - "Lines": [ - { - "Number": 275, - "Content": " - apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 276, - "Content": " resources: [\"secrets\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: [\u001b[38;5;37m\"secrets\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 277, - "Content": " verbs: [\"create\", \"update\", \"get\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"kubernetes-external-secrets\" of deployment \"devtron-kubernetes-external-secrets\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 346, - "EndLine": 346, - "Code": { - "Lines": [ - { - "Number": 346, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 371, - "EndLine": 399, - "Code": { - "Lines": [ - { - "Number": 371, - "Content": " - name: kubernetes-external-secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubernetes-external-secrets", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 372, - "Content": " image: \"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"ghcr.io/external-secrets/kubernetes-external-secrets:8.5.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 373, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 374, - "Content": " - name: prometheus", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: prometheus", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 375, - "Content": " containerPort: 3001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 376, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 377, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 378, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 379, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 380, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/gitsensor.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 25, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'chown-git-base' of StatefulSet 'git-sensor' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'git-sensor' of StatefulSet 'git-sensor' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"chown-git-base\" of statefulset \"git-sensor\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 41, - "EndLine": 41, - "Code": { - "Lines": [ - { - "Number": 41, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"git-sensor\" of statefulset \"git-sensor\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 41, - "EndLine": 41, - "Code": { - "Lines": [ - { - "Number": 41, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV105", - "AVDID": "AVD-KSV-0105", - "Title": "Containers must not set runAsUser to 0", - "Description": "Containers should be forbidden from running with a root UID.", - "Message": "securityContext.runAsUser should be set to a value greater than 0", - "Namespace": "builtin.kubernetes.KSV105", - "Query": "data.builtin.kubernetes.KSV105.deny", - "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv105" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 75, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 66, - "EndLine": 80, - "Code": { - "Lines": [ - { - "Number": 66, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 67, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - -c", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -c", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - mkdir -p /git-base/ssh-keys \u0026\u0026 chown -R devtron:devtron /git-base \u0026\u0026 chmod 777 /git-base/ssh-keys", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " name: chown-git-base", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: chown-git-base", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources: {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m: {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 75, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 82, - "EndLine": 100, - "Code": { - "Lines": [ - { - "Number": 82, - "Content": " - name: git-sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: git-sensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 83, - "Content": " image: \"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/git-sensor:4bacf5f7-200-21575\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 84, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 85, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 86, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " - containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " name: sensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: sensor", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 91, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/grafana.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 81, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron-test' of Pod 'devtron-grafana-test' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'download-dashboards' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'grafana' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'grafana-sc-dashboard' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'grafana-sc-datasources' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'init-chown-data' of Deployment 'devtron-grafana' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV041", - "AVDID": "AVD-KSV-0041", - "Title": "Manage secrets", - "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", - "Message": "ClusterRole 'devtron-grafana-clusterrole' shouldn't have access to manage resource 'secrets'", - "Namespace": "builtin.kubernetes.KSV041", - "Query": "data.builtin.kubernetes.KSV041.deny", - "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv041" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 291, - "EndLine": 293, - "Code": { - "Lines": [ - { - "Number": 291, - "Content": "- apiGroups: [\"\"] # \"\" indicates the core API group", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m] \u001b[38;5;239m# \"\" indicates the core API group", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 292, - "Content": " resources: [\"configmaps\", \"secrets\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m: [\u001b[38;5;37m\"configmaps\"\u001b[0m, \u001b[38;5;37m\"secrets\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 293, - "Content": " verbs: [\"get\", \"watch\", \"list\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"devtron-test\" of pod \"devtron-grafana-test\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 610, - "EndLine": 610, - "Code": { - "Lines": [ - { - "Number": 610, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"download-dashboards\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 416, - "EndLine": 416, - "Code": { - "Lines": [ - { - "Number": 416, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"grafana\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 416, - "EndLine": 416, - "Code": { - "Lines": [ - { - "Number": 416, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"grafana-sc-dashboard\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 416, - "EndLine": 416, - "Code": { - "Lines": [ - { - "Number": 416, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"grafana-sc-datasources\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 416, - "EndLine": 416, - "Code": { - "Lines": [ - { - "Number": 416, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"init-chown-data\" of deployment \"devtron-grafana\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 416, - "EndLine": 416, - "Code": { - "Lines": [ - { - "Number": 416, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV105", - "AVDID": "AVD-KSV-0105", - "Title": "Containers must not set runAsUser to 0", - "Description": "Containers should be forbidden from running with a root UID.", - "Message": "securityContext.runAsUser should be set to a value greater than 0", - "Namespace": "builtin.kubernetes.KSV105", - "Query": "data.builtin.kubernetes.KSV105.deny", - "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv105" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 459, - "EndLine": 460, - "Code": { - "Lines": [ - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 628, - "EndLine": 635, - "Code": { - "Lines": [ - { - "Number": 628, - "Content": " - name: devtron-test", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-test", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 629, - "Content": " image: \"quay.io/devtron/bats:v1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/bats:v1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 630, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 631, - "Content": " command: [\"/opt/bats/bin/bats\", \"-t\", \"/tests/run.sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/opt/bats/bin/bats\"\u001b[0m, \u001b[38;5;37m\"-t\"\u001b[0m, \u001b[38;5;37m\"/tests/run.sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 632, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 633, - "Content": " - mountPath: /tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 634, - "Content": " name: tests", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tests", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 635, - "Content": " readOnly: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mreadOnly\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 516, - "EndLine": 565, - "Code": { - "Lines": [ - { - "Number": 516, - "Content": " - name: grafana", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 517, - "Content": " image: \"quay.io/devtron/grafana:7.3.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/grafana:7.3.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 518, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 519, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 520, - "Content": " - name: config", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: config", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 521, - "Content": " mountPath: \"/etc/grafana/grafana.ini\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/etc/grafana/grafana.ini\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 522, - "Content": " subPath: grafana.ini", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msubPath\u001b[0m: grafana.ini", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 523, - "Content": " - name: storage", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: storage", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 524, - "Content": " mountPath: \"/var/lib/grafana\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mmountPath\u001b[0m: \u001b[38;5;37m\"/var/lib/grafana\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 525, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 499, - "EndLine": 515, - "Code": { - "Lines": [ - { - "Number": 499, - "Content": " - name: grafana-sc-dashboard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: grafana-sc-dashboard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 500, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 501, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 502, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 503, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 504, - "Content": " value:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 505, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 506, - "Content": " value: \"grafana_dashboard\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_dashboard\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 507, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 508, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 481, - "EndLine": 497, - "Code": { - "Lines": [ - { - "Number": 481, - "Content": " - name: grafana-sc-datasources", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: grafana-sc-datasources", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 482, - "Content": " image: \"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/kiwigrid/k8s-sidecar:1.1.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 483, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 484, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 485, - "Content": " - name: METHOD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: METHOD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 486, - "Content": " value: LIST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: LIST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 487, - "Content": " - name: LABEL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LABEL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 488, - "Content": " value: \"grafana_datasource\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"grafana_datasource\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 489, - "Content": " - name: FOLDER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: FOLDER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 490, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 467, - "EndLine": 480, - "Code": { - "Lines": [ - { - "Number": 467, - "Content": " - name: download-dashboards", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: download-dashboards", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 468, - "Content": " image: \"quay.io/devtron/curl:7.73.0\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/curl:7.73.0\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 469, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 470, - "Content": " command: [\"/bin/sh\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 471, - "Content": " args: [ \"-c\", \"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m: [ \u001b[38;5;37m\"-c\"\u001b[0m, \u001b[38;5;37m\"mkdir -p /var/lib/grafana/dashboards/default \u0026\u0026 /bin/sh /etc/grafana/download_dashboards.sh\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 472, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 473, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 474, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 475, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 476, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 455, - "EndLine": 466, - "Code": { - "Lines": [ - { - "Number": 455, - "Content": " - name: init-chown-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chown-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 456, - "Content": " image: \"quay.io/devtron/busybox:1.31.1\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/busybox:1.31.1\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 457, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 458, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 459, - "Content": " runAsNonRoot: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 460, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 461, - "Content": " command: [\"chown\", \"-R\", \"472:472\", \"/var/lib/grafana\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"chown\"\u001b[0m, \u001b[38;5;37m\"-R\"\u001b[0m, \u001b[38;5;37m\"472:472\"\u001b[0m, \u001b[38;5;37m\"/var/lib/grafana\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 462, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 463, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 464, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV117", - "AVDID": "AVD-KSV-0117", - "Title": "Prevent binding to privileged ports", - "Description": "The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.", - "Message": "deployment devtron-grafana in devtroncd namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024", - "Namespace": "builtin.kubernetes.KSV117", - "Query": "data.builtin.kubernetes.KSV117.deny", - "Resolution": "Do not map the container ports to privileged host ports when starting a container.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv117", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/", - "https://avd.aquasec.com/misconfig/ksv117" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 416, - "EndLine": 416, - "Code": { - "Lines": [ - { - "Number": 416, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/guard.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 13, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'guard' of Deployment 'guard' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'guard' of Deployment 'guard' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'guard' of Deployment 'guard' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'guard' of Deployment 'guard' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'guard' of Deployment 'guard' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'guard' of Deployment 'guard' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"guard\" of deployment \"guard\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 28, - "EndLine": 28, - "Code": { - "Lines": [ - { - "Number": 28, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 58, - "EndLine": 86, - "Code": { - "Lines": [ - { - "Number": 58, - "Content": " - name: guard", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: guard", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 59, - "Content": " image: quay.io/devtron/guard:62058d7c-122-2192", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/guard:62058d7c-122-2192", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 63, - "Content": " containerPort: 8080", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m8080", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 64, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 65, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 66, - "Content": " - -alsologtostderr", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -alsologtostderr", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 67, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/hpa.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/yamls/image-scanner.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 12, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'image-scanner' of Deployment 'image-scanner' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'image-scanner' of Deployment 'image-scanner' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'image-scanner-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"PG_PORT\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 9, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"image-scanner\" of deployment \"image-scanner\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 45, - "EndLine": 45, - "Code": { - "Lines": [ - { - "Number": 45, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 102, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: image-scanner", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: image-scanner", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: \"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/image-scanner:bdbcef05-334-21577\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/kubelink.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 11, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'kubelink' of Deployment 'kubelink' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'kubelink' of Deployment 'kubelink' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"kubelink\" of deployment \"kubelink\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 27, - "EndLine": 48, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": " - name: kubelink", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubelink", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 28, - "Content": " image: \"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubelink:7c66e0fc-564-21516\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 33, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 36, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/kubewatch.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 11, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'kubewatch' of Deployment 'kubewatch' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'kubewatch' of Deployment 'kubewatch' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"kubewatch\" of deployment \"kubewatch\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 134, - "EndLine": 134, - "Code": { - "Lines": [ - { - "Number": 134, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 187, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - name: kubewatch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: kubewatch", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " image: \"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubewatch:91c2cece-419-21178\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: devtroncd_NAMESPACE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtroncd_NAMESPACE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " value: \"devtron-ci\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"devtron-ci\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 175, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/lens.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 12, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'lens' of Deployment 'lens' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'lens' of Deployment 'lens' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'lens' of Deployment 'lens' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'lens' of Deployment 'lens' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'lens' of Deployment 'lens' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'lens' of Deployment 'lens' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'lens' of Deployment 'lens' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'lens' of Deployment 'lens' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'lens-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"GIT_SENSOR_PROTOCOL\", \"PG_PORT\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 8, - "EndLine": 8, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"lens\" of deployment \"lens\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 43, - "EndLine": 43, - "Code": { - "Lines": [ - { - "Number": 43, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 73, - "EndLine": 98, - "Code": { - "Lines": [ - { - "Number": 73, - "Content": " - name: lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 74, - "Content": " image: \"quay.io/devtron/lens:70577aaa-333-21179\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/lens:70577aaa-333-21179\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 82, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/migrator.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 80, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV013", - "AVDID": "AVD-KSV-0013", - "Title": "Image tag \":latest\" used", - "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should specify an image tag", - "Namespace": "builtin.kubernetes.KSV013", - "Query": "data.builtin.kubernetes.KSV013.deny", - "Resolution": "Use a specific container image tag that is not 'latest'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", - "References": [ - "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "https://avd.aquasec.com/misconfig/ksv013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'chart-sync' of CronJob 'app-sync-cronjob' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'devtron-rollout' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"chart-sync\" of cronjob \"app-sync-cronjob\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 249, - "EndLine": 249, - "Code": { - "Lines": [ - { - "Number": 249, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"devtron-rollout\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 57, - "EndLine": 57, - "Code": { - "Lines": [ - { - "Number": 57, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-casbin\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 57, - "EndLine": 57, - "Code": { - "Lines": [ - { - "Number": 57, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-devtron\" of job \"postgresql-migrate-devtron\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 11, - "EndLine": 11, - "Code": { - "Lines": [ - { - "Number": 11, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-gitsensor\" of job \"postgresql-migrate-gitsensor\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 112, - "EndLine": 112, - "Code": { - "Lines": [ - { - "Number": 112, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-lens\" of job \"postgresql-migrate-lens\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 158, - "EndLine": 158, - "Code": { - "Lines": [ - { - "Number": 158, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-miscellaneous\" of job \"postgresql-miscellaneous\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 204, - "EndLine": 204, - "Code": { - "Lines": [ - { - "Number": 204, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 24, - "EndLine": 53, - "Code": { - "Lines": [ - { - "Number": 24, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 25, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 29, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 30, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 31, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 32, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 33, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 73, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": " - name: devtron-rollout", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: devtron-rollout", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " image: \"quay.io/devtron/kubectl:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/kubectl:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " command: ['sh', '-c', 'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd']", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m'sh'\u001b[0m, \u001b[38;5;37m'-c'\u001b[0m, \u001b[38;5;37m'kubectl rollout restart deployment/devtron -n devtroncd \u0026\u0026 kubectl rollout restart deployment/kubelink -n devtroncd'\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 75, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 75, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 76, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 81, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 82, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 83, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 84, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 154, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 126, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 134, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 171, - "EndLine": 200, - "Code": { - "Lines": [ - { - "Number": 171, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 172, - "Content": " image: quay.io/devtron/migrator:ec1dcab8-149-13278", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:ec1dcab8-149-13278", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 179, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 180, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 221, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 221, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 222, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " allowPrivilegeEscalation: false", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mallowPrivilegeEscalation\u001b[0m: \u001b[38;5;166mfalse", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 225, - "Content": " runAsUser: 1000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 226, - "Content": " runAsNonRoot: true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 227, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 228, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 229, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 230, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 261, - "EndLine": 272, - "Code": { - "Lines": [ - { - "Number": 261, - "Content": " - name: chart-sync", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: chart-sync", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 262, - "Content": " image: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/chart-sync:d0dcc590-373-21074", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 263, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 264, - "Content": " - name: PG_ADDR", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_ADDR", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 265, - "Content": " value: postgresql-postgresql.devtroncd", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgresql-postgresql.devtroncd", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 266, - "Content": " - name: PG_DATABASE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_DATABASE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 267, - "Content": " value: orchestrator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: orchestrator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 268, - "Content": " - name: PG_USER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PG_USER", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 269, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 270, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/minio-storage.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 29, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'minio' of StatefulSet 'devtron-minio' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'minio-mc' of Job 'devtron-minio-make-bucket-job' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"minio\" of statefulset \"devtron-minio\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 244, - "EndLine": 244, - "Code": { - "Lines": [ - { - "Number": 244, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"minio-mc\" of job \"devtron-minio-make-bucket-job\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 318, - "EndLine": 318, - "Code": { - "Lines": [ - { - "Number": 318, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 281, - "EndLine": 305, - "Code": { - "Lines": [ - { - "Number": 281, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 282, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2021-02-14T04-01-33Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 283, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 284, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 285, - "Content": " command: [ \"/bin/sh\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [ \u001b[38;5;37m\"/bin/sh\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " \"-ce\",", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"-ce\"\u001b[0m,", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\" ]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ server http://devtron-minio-{0...3}.devtron-minio-svc.devtroncd.svc.cluster.local/export\"\u001b[0m ]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " - name: export", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: export", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 290, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 350, - "EndLine": 362, - "Code": { - "Lines": [ - { - "Number": 350, - "Content": " - name: minio-mc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio-mc", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 351, - "Content": " image: \"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio-mc:RELEASE.2021-02-14T04-28-06Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 352, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 353, - "Content": " command: [\"/bin/sh\", \"/config/initialize\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m: [\u001b[38;5;37m\"/bin/sh\"\u001b[0m, \u001b[38;5;37m\"/config/initialize\"\u001b[0m]", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 354, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 355, - "Content": " - name: MINIO_ENDPOINT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_ENDPOINT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 356, - "Content": " value: devtron-minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-minio", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 357, - "Content": " - name: MINIO_PORT", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: MINIO_PORT", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 358, - "Content": " value: \"9000\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"9000\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 359, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-0109", - "AVDID": "AVD-KSV-0109", - "Title": "ConfigMap with secrets", - "Description": "Storing secrets in configMaps is unsafe", - "Message": "ConfigMap 'devtron-minio' in 'default' namespace stores secrets in key(s) or value(s) '{\" ACCESS\"}'", - "Namespace": "builtin.kubernetes.KSV0109", - "Query": "data.builtin.kubernetes.KSV0109.deny", - "Resolution": "Remove password/secret from configMap data value", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-0109" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 38, - "EndLine": 38, - "Code": { - "Lines": [ - { - "Number": 38, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV113", - "AVDID": "AVD-KSV-0113", - "Title": "Manage namespace secrets", - "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", - "Message": "Role 'devtron-minio-update-prometheus-secret' shouldn't have access to manage secrets in namespace 'default'", - "Namespace": "builtin.kubernetes.KSV113", - "Query": "data.builtin.kubernetes.KSV113.deny", - "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv113" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 158, - "EndLine": 168, - "Code": { - "Lines": [ - { - "Number": 158, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 159, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 164, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 165, - "Content": " - update", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - update", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 166, - "Content": " - patch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - patch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 167, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV113", - "AVDID": "AVD-KSV-0113", - "Title": "Manage namespace secrets", - "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", - "Message": "Role 'devtron-minio-update-prometheus-secret' shouldn't have access to manage secrets in namespace 'default'", - "Namespace": "builtin.kubernetes.KSV113", - "Query": "data.builtin.kubernetes.KSV113.deny", - "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv113" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 169, - "EndLine": 174, - "Code": { - "Lines": [ - { - "Number": 169, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 170, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/minio.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 16, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'minio' of Deployment 'devtron-minio' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"minio\" of deployment \"devtron-minio\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 220, - "EndLine": 220, - "Code": { - "Lines": [ - { - "Number": 220, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 254, - "EndLine": 275, - "Code": { - "Lines": [ - { - "Number": 254, - "Content": " - name: minio", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: minio", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 255, - "Content": " image: \"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minio:RELEASE.2020-12-03T05-49-24Z\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 256, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 257, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 258, - "Content": " - \"/bin/sh\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"/bin/sh\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 259, - "Content": " - \"-ce\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-ce\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 260, - "Content": " - \"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/usr/bin/docker-entrypoint.sh minio -S /etc/minio/certs/ gateway azure\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 261, - "Content": " volumeMounts: ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mvolumeMounts\u001b[0m: ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 262, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 263, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-0109", - "AVDID": "AVD-KSV-0109", - "Title": "ConfigMap with secrets", - "Description": "Storing secrets in configMaps is unsafe", - "Message": "ConfigMap 'devtron-minio' in 'default' namespace stores secrets in key(s) or value(s) '{\" ACCESS\"}'", - "Namespace": "builtin.kubernetes.KSV0109", - "Query": "data.builtin.kubernetes.KSV0109.deny", - "Resolution": "Remove password/secret from configMap data value", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-0109", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-0109" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 38, - "EndLine": 38, - "Code": { - "Lines": [ - { - "Number": 38, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV113", - "AVDID": "AVD-KSV-0113", - "Title": "Manage namespace secrets", - "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", - "Message": "Role 'devtron-minio-update-prometheus-secret' shouldn't have access to manage secrets in namespace 'default'", - "Namespace": "builtin.kubernetes.KSV113", - "Query": "data.builtin.kubernetes.KSV113.deny", - "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv113" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 166, - "EndLine": 171, - "Code": { - "Lines": [ - { - "Number": 166, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 167, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV113", - "AVDID": "AVD-KSV-0113", - "Title": "Manage namespace secrets", - "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", - "Message": "Role 'devtron-minio-update-prometheus-secret' shouldn't have access to manage secrets in namespace 'default'", - "Namespace": "builtin.kubernetes.KSV113", - "Query": "data.builtin.kubernetes.KSV113.deny", - "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv113" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 155, - "EndLine": 165, - "Code": { - "Lines": [ - { - "Number": 155, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 156, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 158, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 159, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 160, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 161, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 162, - "Content": " - update", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - update", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 163, - "Content": " - patch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - patch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 164, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/namespace.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "manifests/yamls/nats-operator.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 24, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'nats-operator' of Deployment 'nats-operator' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV041", - "AVDID": "AVD-KSV-0041", - "Title": "Manage secrets", - "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", - "Message": "ClusterRole 'nats-operator' shouldn't have access to manage resource 'secrets'", - "Namespace": "builtin.kubernetes.KSV041", - "Query": "data.builtin.kubernetes.KSV041.deny", - "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv041" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 100, - "EndLine": 103, - "Code": { - "Lines": [ - { - "Number": 100, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 101, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 102, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 103, - "Content": " verbs: [\"create\", \"watch\", \"get\", \"update\", \"delete\", \"list\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"delete\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV041", - "AVDID": "AVD-KSV-0041", - "Title": "Manage secrets", - "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", - "Message": "ClusterRole 'nats-streaming-operator' shouldn't have access to manage resource 'secrets'", - "Namespace": "builtin.kubernetes.KSV041", - "Query": "data.builtin.kubernetes.KSV041.deny", - "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv041" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 54, - "EndLine": 64, - "Code": { - "Lines": [ - { - "Number": 54, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 55, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " - services", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - services", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - serviceaccounts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " - serviceaccounts/token", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts/token", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - endpoints", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - endpoints", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 63, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV042", - "AVDID": "AVD-KSV-0042", - "Title": "Delete pod logs", - "Description": "Used to cover attacker’s tracks, but most clusters ship logs quickly off-cluster.", - "Message": "ClusterRole 'nats-operator' should not have access to resource 'pods/log' for verbs [\"delete\", \"deletecollection\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV042", - "Query": "data.builtin.kubernetes.KSV042.deny", - "Resolution": "Remove verbs 'delete' and 'deletecollection' for resource 'pods/log' for Role and ClusterRole", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv042", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv042" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 106, - "EndLine": 112, - "Code": { - "Lines": [ - { - "Number": 106, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 107, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 108, - "Content": " - pods/exec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/exec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 109, - "Content": " - pods/log", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/log", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 110, - "Content": " - serviceaccounts/token", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts/token", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 111, - "Content": " - events", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - events", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 112, - "Content": " verbs: [\"*\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"*\"\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV045", - "AVDID": "AVD-KSV-0045", - "Title": "No wildcard verb roles", - "Description": "Check whether role permits wildcard verb on specific resources", - "Message": "Role permits wildcard verb on specific resources", - "Namespace": "builtin.kubernetes.KSV045", - "Query": "data.builtin.kubernetes.KSV045.deny", - "Resolution": "Create a role which does not permit wildcard verb on specific resources", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv045", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv045" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 54, - "EndLine": 64, - "Code": { - "Lines": [ - { - "Number": 54, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 55, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " - services", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - services", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - serviceaccounts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " - serviceaccounts/token", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts/token", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - endpoints", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - endpoints", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 63, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "ClusterRole 'nats-operator' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 88, - "EndLine": 91, - "Code": { - "Lines": [ - { - "Number": 88, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 89, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " verbs: [\"create\", \"watch\", \"get\", \"patch\", \"update\", \"delete\", \"list\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"patch\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"delete\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "ClusterRole 'nats-streaming-operator' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 54, - "EndLine": 64, - "Code": { - "Lines": [ - { - "Number": 54, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 55, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " - services", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - services", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - serviceaccounts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " - serviceaccounts/token", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts/token", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - endpoints", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - endpoints", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 63, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV049", - "AVDID": "AVD-KSV-0049", - "Title": "Manage configmaps", - "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "Message": "ClusterRole 'nats-streaming-operator' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV049", - "Query": "data.builtin.kubernetes.KSV049.deny", - "Resolution": "Remove write permission verbs for resource 'configmaps'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv049" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 54, - "EndLine": 64, - "Code": { - "Lines": [ - { - "Number": 54, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 55, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " - services", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - services", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - serviceaccounts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " - serviceaccounts/token", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts/token", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - endpoints", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - endpoints", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 63, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV053", - "AVDID": "AVD-KSV-0053", - "Title": "Exec into Pods", - "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", - "Message": "ClusterRole 'nats-operator' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV053", - "Query": "data.builtin.kubernetes.KSV053.deny", - "Resolution": "Remove write permission verbs for resource 'pods/exec'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv053" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 106, - "EndLine": 112, - "Code": { - "Lines": [ - { - "Number": 106, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 107, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 108, - "Content": " - pods/exec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/exec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 109, - "Content": " - pods/log", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/log", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 110, - "Content": " - serviceaccounts/token", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts/token", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 111, - "Content": " - events", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - events", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 112, - "Content": " verbs: [\"*\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"*\"\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV056", - "AVDID": "AVD-KSV-0056", - "Title": "Manage Kubernetes networking", - "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "Message": "ClusterRole 'nats-operator' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV056", - "Query": "data.builtin.kubernetes.KSV056.deny", - "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv056" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 125, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " - endpoints", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - endpoints", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " verbs: [\"create\", \"watch\", \"get\", \"update\", \"delete\", \"list\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"delete\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV056", - "AVDID": "AVD-KSV-0056", - "Title": "Manage Kubernetes networking", - "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "Message": "ClusterRole 'nats-operator' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV056", - "Query": "data.builtin.kubernetes.KSV056.deny", - "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv056" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 94, - "EndLine": 97, - "Code": { - "Lines": [ - { - "Number": 94, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 95, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 96, - "Content": " - services", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - services", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 97, - "Content": " verbs: [\"create\", \"watch\", \"get\", \"patch\", \"update\", \"delete\", \"list\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m: [\u001b[38;5;37m\"create\"\u001b[0m, \u001b[38;5;37m\"watch\"\u001b[0m, \u001b[38;5;37m\"get\"\u001b[0m, \u001b[38;5;37m\"patch\"\u001b[0m, \u001b[38;5;37m\"update\"\u001b[0m, \u001b[38;5;37m\"delete\"\u001b[0m, \u001b[38;5;37m\"list\"\u001b[0m]", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV056", - "AVDID": "AVD-KSV-0056", - "Title": "Manage Kubernetes networking", - "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "Message": "ClusterRole 'nats-streaming-operator' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV056", - "Query": "data.builtin.kubernetes.KSV056.deny", - "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv056" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 54, - "EndLine": 64, - "Code": { - "Lines": [ - { - "Number": 54, - "Content": "- apiGroups: [\"\"]", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m- \u001b[38;5;33mapiGroups\u001b[0m: [\u001b[38;5;37m\"\"\u001b[0m]", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 55, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 58, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 59, - "Content": " - services", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - services", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 60, - "Content": " - serviceaccounts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 61, - "Content": " - serviceaccounts/token", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - serviceaccounts/token", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 62, - "Content": " - endpoints", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - endpoints", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 63, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"nats-operator\" of deployment \"nats-operator\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 192, - "EndLine": 192, - "Code": { - "Lines": [ - { - "Number": 192, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 213, - "EndLine": 237, - "Code": { - "Lines": [ - { - "Number": 213, - "Content": " - name: nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-operator", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 214, - "Content": " image: \"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/nats-operator:0.5.0-v1alpha2\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " - nats-operator", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - nats-operator", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " # Uncomment to perform a cluster-scoped deployment in supported versions.", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;239m# Uncomment to perform a cluster-scoped deployment in supported versions.", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " #- --feature-gates=ClusterScoped=true", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m#- --feature-gates=ClusterScoped=true", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " - name: readyz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: readyz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 222, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/nats-server.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 53, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV013", - "AVDID": "AVD-KSV-0013", - "Title": "Image tag \":latest\" used", - "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should specify an image tag", - "Namespace": "builtin.kubernetes.KSV013", - "Query": "data.builtin.kubernetes.KSV013.deny", - "Resolution": "Use a specific container image tag that is not 'latest'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", - "References": [ - "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "https://avd.aquasec.com/misconfig/ksv013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'devtron-nats' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'nats' of StatefulSet 'devtron-nats' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'nats-box' of Pod 'devtron-nats-test-request-reply' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'reloader' of StatefulSet 'devtron-nats' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"metrics\" of statefulset \"devtron-nats\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 69, - "EndLine": 69, - "Code": { - "Lines": [ - { - "Number": 69, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"nats\" of statefulset \"devtron-nats\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 69, - "EndLine": 69, - "Code": { - "Lines": [ - { - "Number": 69, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"nats-box\" of pod \"devtron-nats-test-request-reply\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 267, - "EndLine": 267, - "Code": { - "Lines": [ - { - "Number": 267, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"reloader\" of statefulset \"devtron-nats\" in \"devtroncd\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 69, - "EndLine": 69, - "Code": { - "Lines": [ - { - "Number": 69, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 133, - "EndLine": 208, - "Code": { - "Lines": [ - { - "Number": 133, - "Content": " - name: nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 134, - "Content": " image: nats:2.9.3-alpine", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: nats:2.9.3-alpine", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 136, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 137, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 138, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 139, - "Content": " - containerPort: 4222", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m4222", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " name: client", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mname\u001b[0m: client", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " - containerPort: 7422", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m7422", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 142, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 216, - "EndLine": 231, - "Code": { - "Lines": [ - { - "Number": 216, - "Content": " - name: reloader", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: reloader", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 217, - "Content": " image: quay.io/devtron/nats-server-config-reloader:0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-server-config-reloader:0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " null", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;166mnull", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 221, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 222, - "Content": " - \"nats-server-config-reloader\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"nats-server-config-reloader\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 223, - "Content": " - \"-pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"-pid\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 224, - "Content": " - \"/var/run/nats/nats.pid\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;37m\"/var/run/nats/nats.pid\"", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 225, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 240, - "EndLine": 256, - "Code": { - "Lines": [ - { - "Number": 240, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 241, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:0.9.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 242, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 243, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 244, - "Content": " {}", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " {}", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 245, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 246, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 247, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 248, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 249, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 284, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 284, - "Content": " - name: nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: nats-box", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 285, - "Content": " image: quay.io/devtron/nats-box", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-box", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 286, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 287, - "Content": " - name: NATS_HOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: NATS_HOST", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 288, - "Content": " value: devtron-nats", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: devtron-nats", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 289, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 290, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 291, - "Content": " - -ec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -ec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 292, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 293, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/nats-streaming.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 27, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV013", - "AVDID": "AVD-KSV-0013", - "Title": "Image tag \":latest\" used", - "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should specify an image tag", - "Namespace": "builtin.kubernetes.KSV013", - "Query": "data.builtin.kubernetes.KSV013.deny", - "Resolution": "Use a specific container image tag that is not 'latest'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", - "References": [ - "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "https://avd.aquasec.com/misconfig/ksv013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'devtron-stan' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'stan' of StatefulSet 'devtron-stan' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"metrics\" of statefulset \"devtron-stan\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 63, - "EndLine": 63, - "Code": { - "Lines": [ - { - "Number": 63, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"stan\" of statefulset \"devtron-stan\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 63, - "EndLine": 63, - "Code": { - "Lines": [ - { - "Number": 63, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 127, - "EndLine": 164, - "Code": { - "Lines": [ - { - "Number": 127, - "Content": " - name: stan", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: stan", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 128, - "Content": " image: quay.io/devtron/nats-streaming:0.23.0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/nats-streaming:0.23.0", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - -sc", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -sc", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " - /etc/stan-config/stan.conf", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /etc/stan-config/stan.conf", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 132, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 133, - "Content": " - name: POD_NAME", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: POD_NAME", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 134, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 135, - "Content": " fieldRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mfieldRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 136, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 170, - "EndLine": 182, - "Code": { - "Lines": [ - { - "Number": 170, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 171, - "Content": " image: quay.io/devtron/prometheus-nats-exporter:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/prometheus-nats-exporter:latest", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33margs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - -connz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -connz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - -routez", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -routez", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - -subz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -subz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - -varz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -varz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 177, - "Content": " - -channelz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -channelz", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 178, - "Content": " - -serverz", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -serverz", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 179, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/notifier.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 14, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'notifier' of Deployment 'notifier' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'notifier' of Deployment 'notifier' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "AVD-KSV-01010", - "AVDID": "AVD-KSV-01010", - "Title": "ConfigMap with sensitive content", - "Description": "Storing sensitive content such as usernames and email addresses in configMaps is unsafe", - "Message": "ConfigMap 'notifier-cm' in 'default' namespace stores sensitive contents in key(s) or value(s) '{\"CD_ENVIRONMENT\", \"DB_PORT\"}'", - "Namespace": "builtin.kubernetes.KSV01010", - "Query": "data.builtin.kubernetes.KSV01010.deny", - "Resolution": "Remove sensitive content from configMap data value", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-ksv-01010", - "References": [ - "https://avd.aquasec.com/misconfig/avd-ksv-01010" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 9, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"notifier\" of deployment \"notifier\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 42, - "EndLine": 42, - "Code": { - "Lines": [ - { - "Number": 42, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 68, - "EndLine": 89, - "Code": { - "Lines": [ - { - "Number": 68, - "Content": " - name: notifier", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: notifier", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 69, - "Content": " image: quay.io/devtron/notifier:e4ffc71a-372-20776", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/notifier:e4ffc71a-372-20776", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 71, - "Content": " ports:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mports\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 72, - "Content": " - name: app", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: app", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " containerPort: 3000", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m3000", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " protocol: TCP", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mprotocol\u001b[0m: TCP", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - name: CONFIG_HASH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: CONFIG_HASH", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 77, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/postgresql.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 41, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV013", - "AVDID": "AVD-KSV-0013", - "Title": "Image tag \":latest\" used", - "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should specify an image tag", - "Namespace": "builtin.kubernetes.KSV013", - "Query": "data.builtin.kubernetes.KSV013.deny", - "Resolution": "Use a specific container image tag that is not 'latest'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", - "References": [ - "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "https://avd.aquasec.com/misconfig/ksv013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"init-chmod-data\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 90, - "EndLine": 90, - "Code": { - "Lines": [ - { - "Number": 90, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"metrics\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 90, - "EndLine": 90, - "Code": { - "Lines": [ - { - "Number": 90, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-postgresql\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 90, - "EndLine": 90, - "Code": { - "Lines": [ - { - "Number": 90, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV105", - "AVDID": "AVD-KSV-0105", - "Title": "Containers must not set runAsUser to 0", - "Description": "Containers should be forbidden from running with a root UID.", - "Message": "securityContext.runAsUser should be set to a value greater than 0", - "Namespace": "builtin.kubernetes.KSV105", - "Query": "data.builtin.kubernetes.KSV105.deny", - "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv105" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 136, - "EndLine": 136, - "Code": { - "Lines": [ - { - "Number": 136, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 212, - "EndLine": 246, - "Code": { - "Lines": [ - { - "Number": 212, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 213, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 214, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 215, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 216, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 217, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 218, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 219, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 220, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 221, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 149, - "EndLine": 210, - "Code": { - "Lines": [ - { - "Number": 149, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 150, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 157, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 158, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 122, - "EndLine": 143, - "Code": { - "Lines": [ - { - "Number": 122, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 123, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 124, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " ", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;37m ", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 131, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/rollout.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 19, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'argo-rollouts' of Deployment 'argo-rollouts' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "ClusterRole 'argo-rollouts-clusterrole' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 178, - "EndLine": 189, - "Code": { - "Lines": [ - { - "Number": 178, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 179, - "Content": " - apps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - apps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 180, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 181, - "Content": " - replicasets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - replicasets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 182, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 183, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 184, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 185, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 186, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 187, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "ClusterRole 'argo-rollouts-clusterrole' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 230, - "EndLine": 241, - "Code": { - "Lines": [ - { - "Number": 230, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 231, - "Content": " - batch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - batch", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 232, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 233, - "Content": " - jobs", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - jobs", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 234, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 235, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 236, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 237, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 238, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 239, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "Role 'argo-rollouts-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 20, - "EndLine": 31, - "Code": { - "Lines": [ - { - "Number": 20, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 21, - "Content": " - apps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - apps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 22, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 23, - "Content": " - replicasets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - replicasets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 24, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 25, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 26, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 27, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 28, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 29, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "Role 'argo-rollouts-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 72, - "EndLine": 83, - "Code": { - "Lines": [ - { - "Number": 72, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 73, - "Content": " - batch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - batch", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " - jobs", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - jobs", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 77, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 78, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 79, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 80, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 81, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV056", - "AVDID": "AVD-KSV-0056", - "Title": "Manage Kubernetes networking", - "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "Message": "ClusterRole 'argo-rollouts-clusterrole' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV056", - "Query": "data.builtin.kubernetes.KSV056.deny", - "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv056" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 190, - "EndLine": 198, - "Code": { - "Lines": [ - { - "Number": 190, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 191, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 192, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 193, - "Content": " - services", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - services", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 194, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 195, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 196, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 197, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 198, - "Content": " - patch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - patch", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV056", - "AVDID": "AVD-KSV-0056", - "Title": "Manage Kubernetes networking", - "Description": "The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions.", - "Message": "Role 'argo-rollouts-role' should not have access to resources [\"services\", \"endpoints\", \"endpointslices\", \"networkpolicies\", \"ingresses\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV056", - "Query": "data.builtin.kubernetes.KSV056.deny", - "Resolution": "Networking resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv056", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv056" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 32, - "EndLine": 40, - "Code": { - "Lines": [ - { - "Number": 32, - "Content": " - apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 33, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 34, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 35, - "Content": " - services", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - services", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 36, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 37, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 38, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 39, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 40, - "Content": " - patch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - patch", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"argo-rollouts\" of deployment \"argo-rollouts\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 300, - "EndLine": 300, - "Code": { - "Lines": [ - { - "Number": 300, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 321, - "EndLine": 328, - "Code": { - "Lines": [ - { - "Number": 321, - "Content": " - command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 322, - "Content": " - /bin/rollouts-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/rollouts-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 323, - "Content": " image: quay.io/devtron/rollout:v0.6.2", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/rollout:v0.6.2", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " imagePullPolicy: IfNotPresent", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: IfNotPresent", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " name: argo-rollouts", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: argo-rollouts", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " volumeMounts:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvolumeMounts\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " - mountPath: /tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mmountPath\u001b[0m: /tmp", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " name: tmp", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: tmp", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/serviceaccount.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 11, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV041", - "AVDID": "AVD-KSV-0041", - "Title": "Manage secrets", - "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", - "Message": "ClusterRole 'argo-cluster-role' shouldn't have access to manage resource 'secrets'", - "Namespace": "builtin.kubernetes.KSV041", - "Query": "data.builtin.kubernetes.KSV041.deny", - "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv041" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 169, - "EndLine": 176, - "Code": { - "Lines": [ - { - "Number": 169, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 170, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 174, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 175, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 176, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV041", - "AVDID": "AVD-KSV-0041", - "Title": "Manage secrets", - "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", - "Message": "ClusterRole 'argo-ui-cluster-role' shouldn't have access to manage resource 'secrets'", - "Namespace": "builtin.kubernetes.KSV041", - "Query": "data.builtin.kubernetes.KSV041.deny", - "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv041" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 274, - "EndLine": 279, - "Code": { - "Lines": [ - { - "Number": 274, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 275, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 276, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 277, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 278, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 279, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV041", - "AVDID": "AVD-KSV-0041", - "Title": "Manage secrets", - "Description": "Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions.", - "Message": "ClusterRole 'workflow-cluster-role' shouldn't have access to manage resource 'secrets'", - "Namespace": "builtin.kubernetes.KSV041", - "Query": "data.builtin.kubernetes.KSV041.deny", - "Resolution": "Manage secrets are not allowed. Remove resource 'secrets' from cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv041", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv041" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 71, - "EndLine": 76, - "Code": { - "Lines": [ - { - "Number": 71, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 72, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 73, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 74, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 75, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 76, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV044", - "AVDID": "AVD-KSV-0044", - "Title": "No wildcard verb and resource roles", - "Description": "Check whether role permits wildcard verb on wildcard resource", - "Message": "Role permits wildcard verb on wildcard resource", - "Namespace": "builtin.kubernetes.KSV044", - "Query": "data.builtin.kubernetes.KSV044.deny", - "Resolution": "Create a role which does not permit wildcard verb on wildcard resource", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv044", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv044" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 296, - "EndLine": 301, - "Code": { - "Lines": [ - { - "Number": 296, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 297, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 298, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 299, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 300, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 301, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV046", - "AVDID": "AVD-KSV-0046", - "Title": "Manage all resources", - "Description": "Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data.", - "Message": "ClusterRole 'devtron' shouldn't manage all resources", - "Namespace": "builtin.kubernetes.KSV046", - "Query": "data.builtin.kubernetes.KSV046.deny", - "Resolution": "Remove '*' from 'rules.resources'. Provide specific list of resources to be managed by cluster role", - "Severity": "CRITICAL", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv046", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv046" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 296, - "EndLine": 301, - "Code": { - "Lines": [ - { - "Number": 296, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 297, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 298, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 299, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 300, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 301, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "ClusterRole 'argo-cluster-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 148, - "EndLine": 160, - "Code": { - "Lines": [ - { - "Number": 148, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 149, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 150, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " - pods/exec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/exec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 157, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "ClusterRole 'workflow-cluster-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 35, - "EndLine": 49, - "Code": { - "Lines": [ - { - "Number": 35, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 36, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 37, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 38, - "Content": " - deployments", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - deployments", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 39, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 40, - "Content": " - pods/exec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/exec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 41, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 42, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 43, - "Content": " - patch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - patch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 44, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "ClusterRole 'workflow-cluster-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 50, - "EndLine": 57, - "Code": { - "Lines": [ - { - "Number": 50, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 51, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 56, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 57, - "Content": " - patch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - patch", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV049", - "AVDID": "AVD-KSV-0049", - "Title": "Manage configmaps", - "Description": "Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise.", - "Message": "ClusterRole 'workflow-cluster-role' should not have access to resource 'configmaps' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV049", - "Query": "data.builtin.kubernetes.KSV049.deny", - "Resolution": "Remove write permission verbs for resource 'configmaps'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv049", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv049" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 65, - "EndLine": 70, - "Code": { - "Lines": [ - { - "Number": 65, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 66, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 67, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 68, - "Content": " - configmaps", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - configmaps", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 69, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 70, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV053", - "AVDID": "AVD-KSV-0053", - "Title": "Exec into Pods", - "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", - "Message": "ClusterRole 'argo-cluster-role' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV053", - "Query": "data.builtin.kubernetes.KSV053.deny", - "Resolution": "Remove write permission verbs for resource 'pods/exec'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv053" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 148, - "EndLine": 160, - "Code": { - "Lines": [ - { - "Number": 148, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 149, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 150, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 151, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 152, - "Content": " - pods/exec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/exec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 153, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 154, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 155, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 156, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 157, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV053", - "AVDID": "AVD-KSV-0053", - "Title": "Exec into Pods", - "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", - "Message": "ClusterRole 'workflow-cluster-role' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV053", - "Query": "data.builtin.kubernetes.KSV053.deny", - "Resolution": "Remove write permission verbs for resource 'pods/exec'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv053" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 35, - "EndLine": 49, - "Code": { - "Lines": [ - { - "Number": 35, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 36, - "Content": " - '*'", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m'*'", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 37, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 38, - "Content": " - deployments", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - deployments", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 39, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 40, - "Content": " - pods/exec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/exec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 41, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 42, - "Content": " - watch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - watch", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 43, - "Content": " - patch", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - patch", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 44, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "manifests/yamls/workflow.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 16, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'workflow-controller' of Deployment 'workflow-controller' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV048", - "AVDID": "AVD-KSV-0048", - "Title": "Manage Kubernetes workloads and pods", - "Description": "Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin.", - "Message": "ClusterRole 'argo-cluster-role' should not have access to resources [\"pods\", \"deployments\", \"jobs\", \"cronjobs\", \"statefulsets\", \"daemonsets\", \"replicasets\", \"replicationcontrollers\"] for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV048", - "Query": "data.builtin.kubernetes.KSV048.deny", - "Resolution": "Kubernetes workloads resources are only allowed for verbs 'list', 'watch', 'get'", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv048", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv048" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 184, - "EndLine": 196, - "Code": { - "Lines": [ - { - "Number": 184, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 185, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 186, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 187, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 188, - "Content": " - pods/exec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/exec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 189, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 190, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 191, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 192, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 193, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV053", - "AVDID": "AVD-KSV-0053", - "Title": "Exec into Pods", - "Description": "The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin.", - "Message": "ClusterRole 'argo-cluster-role' should not have access to resource '[\"pods/exec\"]' for verbs [\"create\", \"update\", \"patch\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", - "Namespace": "builtin.kubernetes.KSV053", - "Query": "data.builtin.kubernetes.KSV053.deny", - "Resolution": "Remove write permission verbs for resource 'pods/exec'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv053", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv053" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 184, - "EndLine": 196, - "Code": { - "Lines": [ - { - "Number": 184, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 185, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 186, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 187, - "Content": " - pods", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 188, - "Content": " - pods/exec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - pods/exec", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 189, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 190, - "Content": " - create", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - create", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 191, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 192, - "Content": " - list", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - list", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 193, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"workflow-controller\" of deployment \"workflow-controller\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 307, - "EndLine": 307, - "Code": { - "Lines": [ - { - "Number": 307, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 322, - "EndLine": 336, - "Code": { - "Lines": [ - { - "Number": 322, - "Content": " - args:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33margs\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 323, - "Content": " - --configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 324, - "Content": " - workflow-controller-configmap", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller-configmap", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 325, - "Content": " - --executor-image", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - --executor-image", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 326, - "Content": " - quay.io/argoproj/argoexec:v3.0.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - quay.io/argoproj/argoexec:v3.0.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 327, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 328, - "Content": " - workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - workflow-controller", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 329, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 330, - "Content": " - name: LEADER_ELECTION_IDENTITY", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: LEADER_ELECTION_IDENTITY", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 331, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV113", - "AVDID": "AVD-KSV-0113", - "Title": "Manage namespace secrets", - "Description": "Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound.", - "Message": "Role 'argo-role' shouldn't have access to manage secrets in namespace 'default'", - "Namespace": "builtin.kubernetes.KSV113", - "Query": "data.builtin.kubernetes.KSV113.deny", - "Resolution": "Manage namespace secrets are not allowed. Remove resource 'secrets' from role", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv113", - "References": [ - "https://kubernetes.io/docs/concepts/security/rbac-good-practices/", - "https://avd.aquasec.com/misconfig/ksv113" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 105, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 105, - "Content": "- apiGroups:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "- \u001b[38;5;33mapiGroups\u001b[0m:", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 106, - "Content": " - \"\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;37m\"\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 107, - "Content": " resources:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mresources\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 108, - "Content": " - secrets", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - secrets", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 109, - "Content": " verbs:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mverbs\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 110, - "Content": " - get", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - get", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "sample-docker-templates/django/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 25, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "sample-docker-templates/flask/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 22, - "Failures": 5, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS005", - "AVDID": "AVD-DS-0005", - "Title": "ADD instead of COPY", - "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", - "Message": "Consider using 'COPY . /app/' command instead of 'ADD . /app/'", - "Namespace": "builtin.dockerfile.DS005", - "Query": "data.builtin.dockerfile.DS005.deny", - "Resolution": "Use COPY instead of ADD", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", - "References": [ - "https://docs.docker.com/engine/reference/builder/#add", - "https://avd.aquasec.com/misconfig/ds005" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 27, - "EndLine": 27, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": "ADD . /app/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /app/", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS017", - "AVDID": "AVD-DS-0017", - "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", - "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Namespace": "builtin.dockerfile.DS017", - "Query": "data.builtin.dockerfile.DS017.deny", - "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", - "https://avd.aquasec.com/misconfig/ds017" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 5, - "EndLine": 6, - "Code": { - "Lines": [ - { - "Number": 5, - "Content": "RUN apt-get clean \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt-get clean \u001b[38;5;124m\\", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 6, - "Content": " \u0026\u0026 apt-get -y update", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y update", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS029", - "AVDID": "AVD-DS-0029", - "Title": "'apt-get' missing '--no-install-recommends'", - "Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.", - "Message": "'--no-install-recommends' flag is missed: 'apt-get -y install nginx \u0026\u0026 apt-get -y install python3-dev \u0026\u0026 apt-get -y install build-essential'", - "Namespace": "builtin.dockerfile.DS029", - "Query": "data.builtin.dockerfile.DS029.deny", - "Resolution": "Add '--no-install-recommends' flag to 'apt-get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds029", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds029" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 9, - "EndLine": 11, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": "RUN apt-get -y install nginx \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt-get -y install nginx \u001b[38;5;124m\\", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " \u0026\u0026 apt-get -y install python3-dev \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y install python3-dev \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " \u0026\u0026 apt-get -y install build-essential", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y install build-essential", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "sample-docker-templates/go/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 23, - "Failures": 4, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS005", - "AVDID": "AVD-DS-0005", - "Title": "ADD instead of COPY", - "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", - "Message": "Consider using 'COPY . /app/' command instead of 'ADD . /app/'", - "Namespace": "builtin.dockerfile.DS005", - "Query": "data.builtin.dockerfile.DS005.deny", - "Resolution": "Use COPY instead of ADD", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", - "References": [ - "https://docs.docker.com/engine/reference/builder/#add", - "https://avd.aquasec.com/misconfig/ds005" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 15, - "EndLine": 15, - "Code": { - "Lines": [ - { - "Number": 15, - "Content": "ADD . /app/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /app/", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS025", - "AVDID": "AVD-DS-0025", - "Title": "'apk add' is missing '--no-cache'", - "Description": "You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size.", - "Message": "'--no-cache' is missed: apk update \u0026\u0026 apk add ca-certificates \u0026\u0026 rm -rf /var/cache/apk/*", - "Namespace": "builtin.dockerfile.DS025", - "Query": "data.builtin.dockerfile.DS025.deny", - "Resolution": "Add '--no-cache' to 'apk add' in Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds025", - "References": [ - "https://github.com/gliderlabs/docker-alpine/blob/master/docs/usage.md#disabling-cache", - "https://avd.aquasec.com/misconfig/ds025" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 27, - "EndLine": 27, - "Code": { - "Lines": [ - { - "Number": 27, - "Content": "RUN apk update \u0026\u0026 apk add ca-certificates \u0026\u0026 rm -rf /var/cache/apk/*", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apk update \u001b[38;5;245m\u0026\u0026\u001b[0m apk add ca-certificates \u001b[38;5;245m\u0026\u0026\u001b[0m rm -rf /var/cache/apk/*", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "sample-docker-templates/kotlin/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 23, - "Failures": 4, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS001", - "AVDID": "AVD-DS-0001", - "Title": "':latest' tag used", - "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", - "Message": "Specify a tag in the 'FROM' statement for image 'alpine'", - "Namespace": "builtin.dockerfile.DS001", - "Query": "data.builtin.dockerfile.DS001.deny", - "Resolution": "Add a tag to the image in the 'FROM' statement", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", - "References": [ - "https://avd.aquasec.com/misconfig/ds001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 2, - "EndLine": 2, - "Code": { - "Lines": [ - { - "Number": 2, - "Content": "FROM alpine:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m alpine:latest", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS013", - "AVDID": "AVD-DS-0013", - "Title": "'RUN cd ...' to change directory", - "Description": "Use WORKDIR instead of proliferating instructions like 'RUN cd … \u0026\u0026 do-something', which are hard to read, troubleshoot, and maintain.", - "Message": "RUN should not be used to change directory: 'apk add --no-cache build-base wget \u0026\u0026 cd /usr/lib \u0026\u0026 wget 'https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip' \u0026\u0026 unzip kotlin-compiler-*.zip \u0026\u0026 rm kotlin-compiler-*.zip \u0026\u0026 rm -f kotlinc/bin/*.bat;'. Use 'WORKDIR' statement instead.", - "Namespace": "builtin.dockerfile.DS013", - "Query": "data.builtin.dockerfile.DS013.deny", - "Resolution": "Use WORKDIR to change directory", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds013", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir", - "https://avd.aquasec.com/misconfig/ds013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 16, - "EndLine": 23, - "Code": { - "Lines": [ - { - "Number": 16, - "Content": "RUN apk add --no-cache build-base wget \u0026\u0026 \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mRUN\u001b[0m apk add --no-cache build-base wget \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 17, - "Content": " cd /usr/lib \u0026\u0026 \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcd\u001b[0m /usr/lib \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 18, - "Content": " # Installing Kotlin compiler in zip file", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m# Installing Kotlin compiler in zip file", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 19, - "Content": " wget 'https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip' \u0026\u0026 \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m wget \u001b[38;5;37m'https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip'\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 20, - "Content": " # Unzipping the downloaded zip file", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;239m# Unzipping the downloaded zip file", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 21, - "Content": " unzip kotlin-compiler-*.zip \u0026\u0026 \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m unzip kotlin-compiler-*.zip \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 22, - "Content": " rm kotlin-compiler-*.zip \u0026\u0026 \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m rm kotlin-compiler-*.zip \u001b[38;5;245m\u0026\u0026\u001b[0m \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 23, - "Content": " rm -f kotlinc/bin/*.bat;", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m rm -f kotlinc/bin/*.bat;", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "sample-docker-templates/node/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 22, - "Failures": 5, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS005", - "AVDID": "AVD-DS-0005", - "Title": "ADD instead of COPY", - "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", - "Message": "Consider using 'COPY . /app/' command instead of 'ADD . /app/'", - "Namespace": "builtin.dockerfile.DS005", - "Query": "data.builtin.dockerfile.DS005.deny", - "Resolution": "Use COPY instead of ADD", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", - "References": [ - "https://docs.docker.com/engine/reference/builder/#add", - "https://avd.aquasec.com/misconfig/ds005" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 25, - "EndLine": 25, - "Code": { - "Lines": [ - { - "Number": 25, - "Content": "ADD . /app/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /app/", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS017", - "AVDID": "AVD-DS-0017", - "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", - "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Namespace": "builtin.dockerfile.DS017", - "Query": "data.builtin.dockerfile.DS017.deny", - "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", - "https://avd.aquasec.com/misconfig/ds017" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 8, - "EndLine": 9, - "Code": { - "Lines": [ - { - "Number": 8, - "Content": "RUN apt-get clean \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt-get clean \u001b[38;5;124m\\", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 9, - "Content": " \u0026\u0026 apt-get -y update", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y update", - "FirstCause": false, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS029", - "AVDID": "AVD-DS-0029", - "Title": "'apt-get' missing '--no-install-recommends'", - "Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.", - "Message": "'--no-install-recommends' flag is missed: 'apt-get -y install nginx \u0026\u0026 apt-get -y install python3-dev \u0026\u0026 apt-get -y install build-essential'", - "Namespace": "builtin.dockerfile.DS029", - "Query": "data.builtin.dockerfile.DS029.deny", - "Resolution": "Add '--no-install-recommends' flag to 'apt-get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds029", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds029" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 12, - "EndLine": 14, - "Code": { - "Lines": [ - { - "Number": 12, - "Content": "RUN apt-get -y install nginx \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mRUN\u001b[0m apt-get -y install nginx \u001b[38;5;124m\\", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 13, - "Content": " \u0026\u0026 apt-get -y install python3-dev \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y install python3-dev \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " \u0026\u0026 apt-get -y install build-essential", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;245m\u0026\u0026\u001b[0m apt-get -y install build-essential", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "sample-docker-templates/php/php7.4/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 22, - "Failures": 6, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS005", - "AVDID": "AVD-DS-0005", - "Title": "ADD instead of COPY", - "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", - "Message": "Consider using 'COPY nginx-site.conf /etc/nginx/sites-available/default' command instead of 'ADD nginx-site.conf /etc/nginx/sites-available/default'", - "Namespace": "builtin.dockerfile.DS005", - "Query": "data.builtin.dockerfile.DS005.deny", - "Resolution": "Use COPY instead of ADD", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", - "References": [ - "https://docs.docker.com/engine/reference/builder/#add", - "https://avd.aquasec.com/misconfig/ds005" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 14, - "EndLine": 14, - "Code": { - "Lines": [ - { - "Number": 14, - "Content": "ADD nginx-site.conf /etc/nginx/sites-available/default", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mADD\u001b[0m nginx-site.conf /etc/nginx/sites-available/default", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS017", - "AVDID": "AVD-DS-0017", - "Title": "'RUN \u003cpackage-manager\u003e update' instruction alone", - "Description": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Message": "The instruction 'RUN \u003cpackage-manager\u003e update' should always be followed by '\u003cpackage-manager\u003e install' in the same RUN statement.", - "Namespace": "builtin.dockerfile.DS017", - "Query": "data.builtin.dockerfile.DS017.deny", - "Resolution": "Combine '\u003cpackage-manager\u003e update' and '\u003cpackage-manager\u003e install' instructions to single one", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds017", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run", - "https://avd.aquasec.com/misconfig/ds017" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 3, - "EndLine": 3, - "Code": { - "Lines": [ - { - "Number": 3, - "Content": "RUN apt-get update", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mRUN\u001b[0m apt-get update", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS029", - "AVDID": "AVD-DS-0029", - "Title": "'apt-get' missing '--no-install-recommends'", - "Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.", - "Message": "'--no-install-recommends' flag is missed: 'DEBIAN_FRONTEND=\"noninteractive\" apt-get install -y nginx-full'", - "Namespace": "builtin.dockerfile.DS029", - "Query": "data.builtin.dockerfile.DS029.deny", - "Resolution": "Add '--no-install-recommends' flag to 'apt-get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds029", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds029" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 13, - "EndLine": 13, - "Code": { - "Lines": [ - { - "Number": 13, - "Content": "RUN DEBIAN_FRONTEND=\"noninteractive\" apt-get install -y nginx-full", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mRUN\u001b[0m \u001b[38;5;33mDEBIAN_FRONTEND\u001b[0m\u001b[38;5;245m=\u001b[0m\u001b[38;5;37m\"noninteractive\"\u001b[0m apt-get install -y nginx-full", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS029", - "AVDID": "AVD-DS-0029", - "Title": "'apt-get' missing '--no-install-recommends'", - "Description": "'apt-get' install should use '--no-install-recommends' to minimize image size.", - "Message": "'--no-install-recommends' flag is missed: 'DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing php7.4 php7.4-cli php-fpm php7.4-mysql php7.4-curl net-tools'", - "Namespace": "builtin.dockerfile.DS029", - "Query": "data.builtin.dockerfile.DS029.deny", - "Resolution": "Add '--no-install-recommends' flag to 'apt-get'", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds029", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds029" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 6, - "EndLine": 11, - "Code": { - "Lines": [ - { - "Number": 6, - "Content": "RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing php7.4 \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mRUN\u001b[0m \u001b[38;5;33mDEBIAN_FRONTEND\u001b[0m\u001b[38;5;245m=\u001b[0mnoninteractive apt-get install -y --fix-missing php7.4 \u001b[38;5;124m\\", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 7, - "Content": " php7.4-cli \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m php7.4-cli \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 8, - "Content": " php-fpm \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m php-fpm \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 9, - "Content": " php7.4-mysql \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m php7.4-mysql \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 10, - "Content": " php7.4-curl \\", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m php7.4-curl \u001b[38;5;124m\\", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " net-tools", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m net-tools", - "FirstCause": false, - "LastCause": true - } - ] - } - } - } - ] - }, - { - "Target": "sample-docker-templates/react/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 24, - "Failures": 3, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS005", - "AVDID": "AVD-DS-0005", - "Title": "ADD instead of COPY", - "Description": "You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.", - "Message": "Consider using 'COPY . /app/' command instead of 'ADD . /app/'", - "Namespace": "builtin.dockerfile.DS005", - "Query": "data.builtin.dockerfile.DS005.deny", - "Resolution": "Use COPY instead of ADD", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds005", - "References": [ - "https://docs.docker.com/engine/reference/builder/#add", - "https://avd.aquasec.com/misconfig/ds005" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 10, - "EndLine": 10, - "Code": { - "Lines": [ - { - "Number": 10, - "Content": "ADD . /app/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mADD\u001b[0m . /app/", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "sample-docker-templates/rust/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 24, - "Failures": 3, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS001", - "AVDID": "AVD-DS-0001", - "Title": "':latest' tag used", - "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", - "Message": "Specify a tag in the 'FROM' statement for image 'alpine'", - "Namespace": "builtin.dockerfile.DS001", - "Query": "data.builtin.dockerfile.DS001.deny", - "Resolution": "Add a tag to the image in the 'FROM' statement", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", - "References": [ - "https://avd.aquasec.com/misconfig/ds001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 2, - "EndLine": 2, - "Code": { - "Lines": [ - { - "Number": 2, - "Content": "FROM alpine:latest", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m alpine:latest", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "scripts/devtron-reference-helm-charts/deployment-chart_1-0-0/test-values.json", - "Class": "config", - "Type": "cloudformation", - "MisconfSummary": { - "Successes": 5, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "scripts/devtron-reference-helm-charts/deployment-chart_1-1-0/test-values.json", - "Class": "config", - "Type": "cloudformation", - "MisconfSummary": { - "Successes": 5, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "scripts/devtron-reference-helm-charts/deployment-chart_4-18-0/test-values.json", - "Class": "config", - "Type": "cloudformation", - "MisconfSummary": { - "Successes": 5, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "scripts/devtron-reference-helm-charts/deployment-chart_4-19-0/test-values.json", - "Class": "config", - "Type": "cloudformation", - "MisconfSummary": { - "Successes": 5, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "scripts/devtron-reference-helm-charts/reference-app-rolling/templates/deployment.yaml", - "Class": "config", - "Type": "helm", - "MisconfSummary": { - "Successes": 102, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "scripts/devtron-reference-helm-charts/reference-app-rolling/templates/hpa.yaml", - "Class": "config", - "Type": "helm", - "MisconfSummary": { - "Successes": 102, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "scripts/devtron-reference-helm-charts/reference-app-rolling/templates/service.yaml", - "Class": "config", - "Type": "helm", - "MisconfSummary": { - "Successes": 103, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "scripts/devtron-reference-helm-charts/reference-app/templates/service-prod.yaml", - "Class": "config", - "Type": "helm", - "MisconfSummary": { - "Successes": 103, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "scripts/devtron-reference-helm-charts/reference-app/templates/servicemonitor.yaml", - "Class": "config", - "Type": "helm", - "MisconfSummary": { - "Successes": 102, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "tests/integrationTesting/migrator.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 140, - "Failures": 65, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-casbin' of Job 'postgresql-migrate-casbin' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-devtron' of Job 'postgresql-migrate-devtron' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-gitsensor' of Job 'postgresql-migrate-gitsensor' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-migrate-lens' of Job 'postgresql-migrate-lens' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-miscellaneous' of Job 'postgresql-miscellaneous' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-casbin\" of job \"postgresql-migrate-casbin\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 38, - "EndLine": 38, - "Code": { - "Lines": [ - { - "Number": 38, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-devtron\" of job \"postgresql-migrate-devtron\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-gitsensor\" of job \"postgresql-migrate-gitsensor\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 76, - "EndLine": 76, - "Code": { - "Lines": [ - { - "Number": 76, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-migrate-lens\" of job \"postgresql-migrate-lens\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 114, - "EndLine": 114, - "Code": { - "Lines": [ - { - "Number": 114, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-miscellaneous\" of job \"postgresql-miscellaneous\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 152, - "EndLine": 152, - "Code": { - "Lines": [ - { - "Number": 152, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 165, - "EndLine": 181, - "Code": { - "Lines": [ - { - "Number": 165, - "Content": " - name: postgresql-miscellaneous", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-miscellaneous", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 166, - "Content": " image: quay.io/devtron/postgres:11.9", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 167, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 168, - "Content": " - name: PGPASSWORD", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGPASSWORD", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 169, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 170, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 171, - "Content": " name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 172, - "Content": " key: postgresql-password", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mkey\u001b[0m: postgresql-password", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 173, - "Content": " - name: PGHOST", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: PGHOST", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 174, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 123, - "EndLine": 148, - "Code": { - "Lines": [ - { - "Number": 123, - "Content": " - name: postgresql-migrate-lens", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-lens", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 124, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 125, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 126, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 127, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 128, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 129, - "Content": " value: https://github.com/devtron-labs/lens.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/lens.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 130, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 131, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 132, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 85, - "EndLine": 110, - "Code": { - "Lines": [ - { - "Number": 85, - "Content": " - name: postgresql-migrate-gitsensor", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-gitsensor", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 86, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 87, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 88, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 89, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 90, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 91, - "Content": " value: https://github.com/devtron-labs/git-sensor.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/git-sensor.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 92, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 93, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 94, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 47, - "EndLine": 72, - "Code": { - "Lines": [ - { - "Number": 47, - "Content": " - name: postgresql-migrate-casbin", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-casbin", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 48, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 49, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 50, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 51, - "Content": " value: scripts/casbin/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/casbin/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 52, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 53, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 54, - "Content": " - name: DB_TYPE", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DB_TYPE", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 55, - "Content": " value: postgres", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: postgres", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 56, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 9, - "EndLine": 34, - "Code": { - "Lines": [ - { - "Number": 9, - "Content": " - name: postgresql-migrate-devtron", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-migrate-devtron", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 10, - "Content": " image: quay.io/devtron/migrator:71748de9-149-11112", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/migrator:71748de9-149-11112", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 11, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 12, - "Content": " - name: GIT_BRANCH", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_BRANCH", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 13, - "Content": " value: main", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: main", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 14, - "Content": " - name: SCRIPT_LOCATION", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: SCRIPT_LOCATION", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 15, - "Content": " value: scripts/sql/", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: scripts/sql/", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 16, - "Content": " - name: GIT_REPO_URL", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: GIT_REPO_URL", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 17, - "Content": " value: https://github.com/devtron-labs/devtron.git", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: https://github.com/devtron-labs/devtron.git", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 18, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "tests/integrationTesting/postgresql-secret.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "tests/integrationTesting/postgresql.yaml", - "Class": "config", - "Type": "kubernetes", - "MisconfSummary": { - "Successes": 153, - "Failures": 41, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV001", - "AVDID": "AVD-KSV-0001", - "Title": "Can elevate its own privileges", - "Description": "A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.allowPrivilegeEscalation' to false", - "Namespace": "builtin.kubernetes.KSV001", - "Query": "data.builtin.kubernetes.KSV001.deny", - "Resolution": "Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv001", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV003", - "AVDID": "AVD-KSV-0003", - "Title": "Default capabilities: some containers do not drop all", - "Description": "The container should drop all default capabilities and add only those that are needed for its execution.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should add 'ALL' to 'securityContext.capabilities.drop'", - "Namespace": "builtin.kubernetes.KSV003", - "Query": "data.builtin.kubernetes.KSV003.deny", - "Resolution": "Add 'ALL' to containers[].securityContext.capabilities.drop.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv003", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/", - "https://avd.aquasec.com/misconfig/ksv003" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV011", - "AVDID": "AVD-KSV-0011", - "Title": "CPU not limited", - "Description": "Enforcing CPU limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.cpu'", - "Namespace": "builtin.kubernetes.KSV011", - "Query": "data.builtin.kubernetes.KSV011.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv011", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv011" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV012", - "AVDID": "AVD-KSV-0012", - "Title": "Runs as root user", - "Description": "Force the running image to run as a non-root user to ensure least privileges.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsNonRoot' to true", - "Namespace": "builtin.kubernetes.KSV012", - "Query": "data.builtin.kubernetes.KSV012.deny", - "Resolution": "Set 'containers[].securityContext.runAsNonRoot' to true.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv012", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv012" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV013", - "AVDID": "AVD-KSV-0013", - "Title": "Image tag \":latest\" used", - "Description": "It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should specify an image tag", - "Namespace": "builtin.kubernetes.KSV013", - "Query": "data.builtin.kubernetes.KSV013.deny", - "Resolution": "Use a specific container image tag that is not 'latest'.", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv013", - "References": [ - "https://kubernetes.io/docs/concepts/configuration/overview/#container-images", - "https://avd.aquasec.com/misconfig/ksv013" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV014", - "AVDID": "AVD-KSV-0014", - "Title": "Root file system is not read-only", - "Description": "An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.readOnlyRootFilesystem' to true", - "Namespace": "builtin.kubernetes.KSV014", - "Query": "data.builtin.kubernetes.KSV014.deny", - "Resolution": "Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv014", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/", - "https://avd.aquasec.com/misconfig/ksv014" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV015", - "AVDID": "AVD-KSV-0015", - "Title": "CPU requests not specified", - "Description": "When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.cpu'", - "Namespace": "builtin.kubernetes.KSV015", - "Query": "data.builtin.kubernetes.KSV015.deny", - "Resolution": "Set 'containers[].resources.requests.cpu'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv015", - "References": [ - "https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits", - "https://avd.aquasec.com/misconfig/ksv015" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV016", - "AVDID": "AVD-KSV-0016", - "Title": "Memory requests not specified", - "Description": "When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.requests.memory'", - "Namespace": "builtin.kubernetes.KSV016", - "Query": "data.builtin.kubernetes.KSV016.deny", - "Resolution": "Set 'containers[].resources.requests.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv016", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv016" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV018", - "AVDID": "AVD-KSV-0018", - "Title": "Memory not limited", - "Description": "Enforcing memory limits prevents DoS via resource exhaustion.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'resources.limits.memory'", - "Namespace": "builtin.kubernetes.KSV018", - "Query": "data.builtin.kubernetes.KSV018.deny", - "Resolution": "Set a limit value under 'containers[].resources.limits.memory'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv018", - "References": [ - "https://kubesec.io/basics/containers-resources-limits-memory/", - "https://avd.aquasec.com/misconfig/ksv018" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV020", - "AVDID": "AVD-KSV-0020", - "Title": "Runs with UID \u003c= 10000", - "Description": "Force the container to run with user ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsUser' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV020", - "Query": "data.builtin.kubernetes.KSV020.deny", - "Resolution": "Set 'containers[].securityContext.runAsUser' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv020", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv020" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'init-chmod-data' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'metrics' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV021", - "AVDID": "AVD-KSV-0021", - "Title": "Runs with GID \u003c= 10000", - "Description": "Force the container to run with group ID \u003e 10000 to avoid conflicts with the host’s user table.", - "Message": "Container 'postgresql-postgresql' of StatefulSet 'postgresql-postgresql' should set 'securityContext.runAsGroup' \u003e 10000", - "Namespace": "builtin.kubernetes.KSV021", - "Query": "data.builtin.kubernetes.KSV021.deny", - "Resolution": "Set 'containers[].securityContext.runAsGroup' to an integer \u003e 10000.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv021", - "References": [ - "https://kubesec.io/basics/containers-securitycontext-runasuser/", - "https://avd.aquasec.com/misconfig/ksv021" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV030", - "AVDID": "AVD-KSV-0030", - "Title": "Runtime/Default Seccomp profile not set", - "Description": "According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.", - "Message": "Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'", - "Namespace": "builtin.kubernetes.KSV030", - "Query": "data.builtin.kubernetes.KSV030.deny", - "Resolution": "Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv030", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv030" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"init-chmod-data\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 79, - "EndLine": 79, - "Code": { - "Lines": [ - { - "Number": 79, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"metrics\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 79, - "EndLine": 79, - "Code": { - "Lines": [ - { - "Number": 79, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV104", - "AVDID": "AVD-KSV-0104", - "Title": "Seccomp policies disabled", - "Description": "A program inside the container can bypass Seccomp protection policies.", - "Message": "container \"postgresql-postgresql\" of statefulset \"postgresql-postgresql\" in \"default\" namespace should specify a seccomp profile", - "Namespace": "builtin.kubernetes.KSV104", - "Query": "data.builtin.kubernetes.KSV104.deny", - "Resolution": "Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv104", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline", - "https://avd.aquasec.com/misconfig/ksv104" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 79, - "EndLine": 79, - "Code": { - "Lines": [ - { - "Number": 79, - "Content": "---", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "---", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV105", - "AVDID": "AVD-KSV-0105", - "Title": "Containers must not set runAsUser to 0", - "Description": "Containers should be forbidden from running with a root UID.", - "Message": "securityContext.runAsUser should be set to a value greater than 0", - "Namespace": "builtin.kubernetes.KSV105", - "Query": "data.builtin.kubernetes.KSV105.deny", - "Resolution": "Set 'securityContext.runAsUser' to a non-zero integer or leave undefined.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv105", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv105" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 125, - "EndLine": 125, - "Code": { - "Lines": [ - { - "Number": 125, - "Content": " runAsUser: 0", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 111, - "EndLine": 132, - "Code": { - "Lines": [ - { - "Number": 111, - "Content": " - name: init-chmod-data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: init-chmod-data", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 112, - "Content": " image: \"quay.io/devtron/minideb:latest\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: \u001b[38;5;37m\"quay.io/devtron/minideb:latest\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 113, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 114, - "Content": " command:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33mcommand\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 115, - "Content": " - /bin/sh", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - /bin/sh", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 116, - "Content": " - -cx", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - -cx", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 117, - "Content": " - |", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - |", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 118, - "Content": "", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - }, - { - "Number": 119, - "Content": " mkdir -p /bitnami/postgresql/data", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " mkdir -p /bitnami/postgresql/data", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 120, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 138, - "EndLine": 199, - "Code": { - "Lines": [ - { - "Number": 138, - "Content": " - name: postgresql-postgresql", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: postgresql-postgresql", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 139, - "Content": " image: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres:11.9.0-debian-10-r26", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 140, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 141, - "Content": " securityContext:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33msecurityContext\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 142, - "Content": " runAsUser: 1001", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m1001", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 143, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 144, - "Content": " - name: BITNAMI_DEBUG", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: BITNAMI_DEBUG", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 145, - "Content": " value: \"false\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"false\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 146, - "Content": " - name: POSTGRESQL_PORT_NUMBER", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: POSTGRESQL_PORT_NUMBER", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 147, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - }, - { - "Type": "Kubernetes Security Check", - "ID": "KSV106", - "AVDID": "AVD-KSV-0106", - "Title": "Container capabilities must only include NET_BIND_SERVICE", - "Description": "Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.", - "Message": "container should drop all", - "Namespace": "builtin.kubernetes.KSV106", - "Query": "data.builtin.kubernetes.KSV106.deny", - "Resolution": "Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ksv106", - "References": [ - "https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted", - "https://avd.aquasec.com/misconfig/ksv106" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Kubernetes", - "Service": "general", - "StartLine": 201, - "EndLine": 235, - "Code": { - "Lines": [ - { - "Number": 201, - "Content": " - name: metrics", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: metrics", - "FirstCause": true, - "LastCause": false - }, - { - "Number": 202, - "Content": " image: quay.io/devtron/postgres_exporter:v0.4.7", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimage\u001b[0m: quay.io/devtron/postgres_exporter:v0.4.7", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 203, - "Content": " imagePullPolicy: \"IfNotPresent\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mimagePullPolicy\u001b[0m: \u001b[38;5;37m\"IfNotPresent\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 204, - "Content": " env:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m \u001b[38;5;33menv\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 205, - "Content": " - name: DATA_SOURCE_URI", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_URI", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 206, - "Content": " value: \"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalue\u001b[0m: \u001b[38;5;37m\"127.0.0.1:5432/orchestrator?sslmode=disable\"", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 207, - "Content": " - name: DATA_SOURCE_PASS", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[0m - \u001b[38;5;33mname\u001b[0m: DATA_SOURCE_PASS", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 208, - "Content": " valueFrom:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33mvalueFrom\u001b[0m:", - "FirstCause": false, - "LastCause": false - }, - { - "Number": 209, - "Content": " secretKeyRef:", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": " \u001b[38;5;33msecretKeyRef\u001b[0m:", - "FirstCause": false, - "LastCause": true - }, - { - "Number": 210, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": true, - "FirstCause": false, - "LastCause": false - } - ] - } - } - } - ] - }, - { - "Target": "vendor/github.com/argoproj/argo-workflows/v3/Dockerfile", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 25, - "Failures": 4, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS001", - "AVDID": "AVD-DS-0001", - "Title": "':latest' tag used", - "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", - "Message": "Specify a tag in the 'FROM' statement for image 'gcr.io/distroless/static'", - "Namespace": "builtin.dockerfile.DS001", - "Query": "data.builtin.dockerfile.DS001.deny", - "Resolution": "Add a tag to the image in the 'FROM' statement", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", - "References": [ - "https://avd.aquasec.com/misconfig/ds001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 95, - "EndLine": 95, - "Code": { - "Lines": [ - { - "Number": 95, - "Content": "FROM gcr.io/distroless/static as argoexec", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m gcr.io/distroless/static as argoexec", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS001", - "AVDID": "AVD-DS-0001", - "Title": "':latest' tag used", - "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", - "Message": "Specify a tag in the 'FROM' statement for image 'gcr.io/distroless/static'", - "Namespace": "builtin.dockerfile.DS001", - "Query": "data.builtin.dockerfile.DS001.deny", - "Resolution": "Add a tag to the image in the 'FROM' statement", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", - "References": [ - "https://avd.aquasec.com/misconfig/ds001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 108, - "EndLine": 108, - "Code": { - "Lines": [ - { - "Number": 108, - "Content": "FROM gcr.io/distroless/static as workflow-controller", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m gcr.io/distroless/static as workflow-controller", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS001", - "AVDID": "AVD-DS-0001", - "Title": "':latest' tag used", - "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", - "Message": "Specify a tag in the 'FROM' statement for image 'gcr.io/distroless/static'", - "Namespace": "builtin.dockerfile.DS001", - "Query": "data.builtin.dockerfile.DS001.deny", - "Resolution": "Add a tag to the image in the 'FROM' statement", - "Severity": "MEDIUM", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds001", - "References": [ - "https://avd.aquasec.com/misconfig/ds001" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 120, - "EndLine": 120, - "Code": { - "Lines": [ - { - "Number": 120, - "Content": "FROM gcr.io/distroless/static as argocli", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "\u001b[38;5;64mFROM\u001b[0m\u001b[38;5;37m gcr.io/distroless/static as argocli", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "vendor/github.com/argoproj/argo-workflows/v3/Dockerfile.windows", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 25, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS009", - "AVDID": "AVD-DS-0009", - "Title": "WORKDIR path not absolute", - "Description": "For clarity and reliability, you should always use absolute paths for your WORKDIR.", - "Message": "WORKDIR path 'C:/Users/ContainerAdministrator/go/src/github.com/argoproj/argo-workflows' should be absolute", - "Namespace": "builtin.dockerfile.DS009", - "Query": "data.builtin.dockerfile.DS009.deny", - "Resolution": "Use absolute paths for your WORKDIR", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds009", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir", - "https://avd.aquasec.com/misconfig/ds009" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "StartLine": 51, - "EndLine": 51, - "Code": { - "Lines": [ - { - "Number": 51, - "Content": "WORKDIR C:/Users/ContainerAdministrator/go/src/github.com/argoproj/argo-workflows", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "WORKDIR C:/Users/ContainerAdministrator/go/src/github.com/argoproj/argo-workflows", - "FirstCause": true, - "LastCause": true - } - ] - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "vendor/github.com/pjbgf/sha1cd/Dockerfile.arm", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 25, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "vendor/github.com/pjbgf/sha1cd/Dockerfile.arm64", - "Class": "config", - "Type": "dockerfile", - "MisconfSummary": { - "Successes": 25, - "Failures": 2, - "Exceptions": 0 - }, - "Misconfigurations": [ - { - "Type": "Dockerfile Security Check", - "ID": "DS002", - "AVDID": "AVD-DS-0002", - "Title": "Image user should not be 'root'", - "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", - "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", - "Namespace": "builtin.dockerfile.DS002", - "Query": "data.builtin.dockerfile.DS002.deny", - "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", - "Severity": "HIGH", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002", - "References": [ - "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", - "https://avd.aquasec.com/misconfig/ds002" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - }, - { - "Type": "Dockerfile Security Check", - "ID": "DS026", - "AVDID": "AVD-DS-0026", - "Title": "No HEALTHCHECK defined", - "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", - "Message": "Add HEALTHCHECK instruction in your Dockerfile", - "Namespace": "builtin.dockerfile.DS026", - "Query": "data.builtin.dockerfile.DS026.deny", - "Resolution": "Add HEALTHCHECK instruction in Dockerfile", - "Severity": "LOW", - "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", - "References": [ - "https://blog.aquasec.com/docker-security-best-practices", - "https://avd.aquasec.com/misconfig/ds026" - ], - "Status": "FAIL", - "Layer": {}, - "CauseMetadata": { - "Provider": "Dockerfile", - "Service": "general", - "Code": { - "Lines": null - } - } - } - ] - }, - { - "Target": "vendor/google.golang.org/api/iamcredentials/v1/iamcredentials-api.json", - "Class": "config", - "Type": "cloudformation", - "MisconfSummary": { - "Successes": 5, - "Failures": 0, - "Exceptions": 0 - } - }, - { - "Target": "localhost.key", - "Class": "secret", - "Secrets": [ - { - "RuleID": "private-key", - "Category": "AsymmetricPrivateKey", - "Severity": "HIGH", - "Title": "Asymmetric Private Key", - "StartLine": 1, - "EndLine": 1, - "Code": { - "Lines": [ - { - "Number": 1, - "Content": "-----BEGIN PRIVATE KEY-----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----", - "IsCause": true, - "Annotation": "", - "Truncated": false, - "Highlighted": "-----BEGIN PRIVATE KEY-----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----", - "FirstCause": true, - "LastCause": true - }, - { - "Number": 2, - "Content": "", - "IsCause": false, - "Annotation": "", - "Truncated": false, - "FirstCause": false, - "LastCause": false - } - ] - }, - "Match": "-----BEGIN PRIVATE KEY-----*******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY", - "Layer": {} - } - ] - }, - { - "Target": "OS Packages", - "Class": "license" - }, - { - "Target": "vendor/go.opentelemetry.io/otel/requirements.txt", - "Class": "license" - }, - { - "Target": "go.mod", - "Class": "license" - }, - { - "Target": "Loose File License(s)", - "Class": "license-file", - "Licenses": [ - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "scripts/casbin/1_insert.up.sql", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/genproto/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/genproto/googleapis/api/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/genproto/googleapis/rpc/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/protobuf/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/api/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/api/internal/third_party/uritemplates/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/grpc/NOTICE.txt", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/grpc/regenerate.sh", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/grpc/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/google.golang.org/appengine/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/cloud.google.com/go/storage/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/cloud.google.com/go/storage/emulator_test.sh", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/cloud.google.com/go/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/cloud.google.com/go/compute/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/cloud.google.com/go/compute/metadata/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/cloud.google.com/go/iam/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/cloud.google.com/go/internal/version/update_version.sh", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/yaml.v3/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/yaml.v3/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/go-playground/validator.v9/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/igm/sockjs-go.v3/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9906976744186047, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/inf.v0/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9906976744186047, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/jcmturner/aescts.v1/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/jcmturner/dnsutils.v1/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/jcmturner/gokrb5.v5/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/jcmturner/rpc.v0/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/square/go-jose.v2/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/square/go-jose.v2/json/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/warnings.v0/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 0.994535519125683, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/gopkg.in/yaml.v2/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opencensus.io/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.starlark.net/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 1, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/xorm.io/builder/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9953488372093023, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/xorm.io/core/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9953488372093023, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/otel/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/otel/metric/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/otel/sdk/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/otel/trace/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/otel/get_main_pkgs.sh", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/otel/verify_examples.sh", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.opentelemetry.io/proto/otlp/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/cli-runtime/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/kube-openapi/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/kube-openapi/pkg/validation/spec/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/utils/internal/third_party/forked/golang/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/utils/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/kubectl/pkg/util/i18n/translations/extract.py", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/kubectl/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/api/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/apimachinery/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/apimachinery/third_party/forked/golang/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/component-base/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/helm/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9968152866242038, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/kube-aggregator/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/kubernetes/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/apiserver/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/component-helpers/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/klog/v2/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9974522292993631, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/metrics/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/apiextensions-apiserver/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/client-go/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/k8s.io/client-go/third_party/forked/golang/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/term/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/text/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/time/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/crypto/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/mod/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/net/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/oauth2/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/xerrors/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/exp/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/sync/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/sys/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/golang.org/x/tools/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/mellium.im/sasl/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 1, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/oras.land/oras-go/v2/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/go-yaml/yaml/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/go-yaml/yaml/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/kustomize/kyaml/internal/forked/github.com/qri-io/starlib/util/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/kustomize/kyaml/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/kustomize/api/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/json/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/json/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/structured-merge-diff/v4/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/yaml/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/sigs.k8s.io/yaml/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/dario.cat/mergo/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.uber.org/atomic/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.uber.org/multierr/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/go.uber.org/zap/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/upper.io/db.v3/internal/cache/hashstructure/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/upper.io/db.v3/lib/reflectx/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/upper.io/db.v3/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/posthog/posthog-go/LICENSE.md", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/satori/go.uuid/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/cenkalti/backoff/v4/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/fatih/camelcase/LICENSE.md", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/xanzy/go-gitlab/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/xanzy/ssh-agent/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/caarlos0/env/LICENSE.md", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/caarlos0/env/v6/LICENSE.md", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/gregjones/httpcache/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "HIGH", - "Category": "restricted", - "PkgName": "", - "FilePath": "vendor/github.com/juju/errors/LICENSE", - "Name": "LGPL-3.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/LGPL-3.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/monochromegane/go-gitignore/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/vmihailenco/go-tinylfu/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/vmihailenco/msgpack/v5/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 0.994535519125683, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/vmihailenco/tagparser/v2/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 0.994535519125683, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/bombsimon/logrusr/v2/LICENCE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/exponent-io/jsonpath/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/matttproud/golang_protobuf_extensions/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/apparentlymart/go-textseg/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/apparentlymart/go-textseg/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/apparentlymart/go-textseg/LICENSE", - "Name": "Unicode-DFS-2016", - "Confidence": 0.9498680738786279, - "Link": "https://spdx.org/licenses/Unicode-DFS-2016.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/apparentlymart/go-textseg/v13/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/apparentlymart/go-textseg/v13/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/apparentlymart/go-textseg/v13/LICENSE", - "Name": "Unicode-DFS-2016", - "Confidence": 0.9498680738786279, - "Link": "https://spdx.org/licenses/Unicode-DFS-2016.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/jcmturner/gofork/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/cespare/xxhash/v2/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/lib/pq/LICENSE.md", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/munnerz/goautoneg/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9767441860465116, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/munnerz/goautoneg/README.txt", - "Name": "BSD-3-Clause", - "Confidence": 0.9767441860465116, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/jmespath/go-jmespath/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Masterminds/goutils/LICENSE.txt", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Masterminds/semver/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Masterminds/semver/v3/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Masterminds/sprig/v3/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/pquerna/cachecontrol/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/sergi/go-diff/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/spf13/cast/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/spf13/cobra/LICENSE.txt", - "Name": "Apache-2.0", - "Confidence": 0.9964362081254454, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/spf13/pflag/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/chai2010/gettext-go/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/leodido/go-urn/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-playground/locales/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-playground/universal-translator/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/cyphar/filepath-securejoin/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-openapi/swag/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-openapi/jsonpointer/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-openapi/jsonreference/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/emirpasic/gods/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 1, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/emirpasic/gods/LICENSE", - "Name": "ISC", - "Confidence": 0.9568965517241379, - "Link": "https://spdx.org/licenses/ISC.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/klauspost/compress/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/klauspost/compress/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/klauspost/compress/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/klauspost/compress/s2/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/klauspost/pgzip/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/redis/go-redis/v9/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 0.994535519125683, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/xtgo/uuid/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/bradleyfalzon/ghinstallation/v2/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/emicklei/go-restful/v3/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/huandu/xstrings/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/russross/blackfriday/v2/LICENSE.txt", - "Name": "BSD-2-Clause", - "Confidence": 1, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-resty/resty/v2/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/patrickmn/go-cache/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/prometheus/client_golang/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/prometheus/client_model/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg/README.txt", - "Name": "BSD-3-Clause", - "Confidence": 0.9767441860465116, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/prometheus/common/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/prometheus/procfs/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Pallinder/go-randomdata/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/ghodss/yaml/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/ghodss/yaml/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/gogo/protobuf/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "MEDIUM", - "Category": "reciprocal", - "PkgName": "", - "FilePath": "vendor/github.com/hashicorp/go-uuid/LICENSE", - "Name": "MPL-2.0", - "Confidence": 0.9947826086956522, - "Link": "https://spdx.org/licenses/MPL-2.0.html" - }, - { - "Severity": "MEDIUM", - "Category": "reciprocal", - "PkgName": "", - "FilePath": "vendor/github.com/hashicorp/hcl2/LICENSE", - "Name": "MPL-2.0", - "Confidence": 0.9947826086956522, - "Link": "https://spdx.org/licenses/MPL-2.0.html" - }, - { - "Severity": "MEDIUM", - "Category": "reciprocal", - "PkgName": "", - "FilePath": "vendor/github.com/hashicorp/errwrap/LICENSE", - "Name": "MPL-2.0", - "Confidence": 0.9947826086956522, - "Link": "https://spdx.org/licenses/MPL-2.0.html" - }, - { - "Severity": "MEDIUM", - "Category": "reciprocal", - "PkgName": "", - "FilePath": "vendor/github.com/hashicorp/go-cleanhttp/LICENSE", - "Name": "MPL-2.0", - "Confidence": 0.9947826086956522, - "Link": "https://spdx.org/licenses/MPL-2.0.html" - }, - { - "Severity": "MEDIUM", - "Category": "reciprocal", - "PkgName": "", - "FilePath": "vendor/github.com/hashicorp/go-multierror/LICENSE", - "Name": "MPL-2.0", - "Confidence": 0.9947826086956522, - "Link": "https://spdx.org/licenses/MPL-2.0.html" - }, - { - "Severity": "MEDIUM", - "Category": "reciprocal", - "PkgName": "", - "FilePath": "vendor/github.com/hashicorp/go-retryablehttp/LICENSE", - "Name": "MPL-2.0", - "Confidence": 0.9947826086956522, - "Link": "https://spdx.org/licenses/MPL-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/imdario/mergo/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/jonboulle/clockwork/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/json-iterator/go/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/stretchr/objx/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/stretchr/testify/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/dgryski/go-rendezvous/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "MEDIUM", - "Category": "reciprocal", - "PkgName": "", - "FilePath": "vendor/github.com/go-sql-driver/mysql/LICENSE", - "Name": "MPL-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MPL-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/valyala/bytebufferpool/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/valyala/fasttemplate/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/moby/term/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/moby/spdystream/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/xeipuuv/gojsonschema/LICENSE-APACHE-2.0.txt", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/xeipuuv/gojsonpointer/LICENSE-APACHE-2.0.txt", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/xeipuuv/gojsonreference/LICENSE-APACHE-2.0.txt", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/golang/groupcache/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9974522292993631, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/golang/mock/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/golang/protobuf/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/mitchellh/copystructure/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/mitchellh/go-wordwrap/LICENSE.md", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/mitchellh/mapstructure/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/mitchellh/reflectwalk/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/golang-jwt/jwt/v4/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/pkg/errors/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 1, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/zclconf/go-cty/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/argoproj/argo-workflows/v3/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/argoproj/argo-cd/v2/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/argoproj/gitops-engine/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/argoproj/pkg/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/casbin/xorm-adapter/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/casbin/casbin/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/jbenet/go-context/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/kballard/go-shellquote/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/gobwas/glob/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/nats-io/nats.go/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/nats-io/nkeys/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/nats-io/nuid/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/cloudflare/circl/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-redis/cache/v9/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 0.994535519125683, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/otiai10/copy/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-git/go-git/v5/oss-fuzz.sh", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-git/go-git/v5/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-git/gcfg/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9906976744186047, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-git/go-billy/v5/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/ProtonMail/go-crypto/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-pg/pg/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 0.994535519125683, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/colinmarc/hdfs/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/fvbommel/sortorder/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/opencontainers/go-digest/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/opencontainers/image-spec/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/blang/semver/v4/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/mailru/easyjson/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-logr/stdr/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-logr/logr/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/josharian/intern/license.md", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/mattn/go-ieproxy/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/pmezard/go-difflib/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.958139534883721, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/MakeNowJust/heredoc/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/deckarep/golang-set/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/peterbourgon/diskv/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/xlab/treeprint/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/yannh/kubeconform/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/agext/levenshtein/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/liggitt/tabwriter/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/oliveagle/jsonpath/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/shopspring/decimal/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/tidwall/gjson/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/tidwall/match/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/tidwall/pretty/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/tidwall/sjson/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/aws/aws-sdk-go-v2/service/ecr/LICENSE.txt", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/aws/aws-sdk-go/internal/sync/singleflight/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/aws/aws-sdk-go/LICENSE.txt", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/aws/smithy-go/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9964362081254454, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/gorilla/schema/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/gorilla/securecookie/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/gorilla/sessions/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/gorilla/websocket/LICENSE", - "Name": "BSD-2-Clause", - "Confidence": 1, - "Link": "https://spdx.org/licenses/BSD-2-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/gorilla/mux/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/btree/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/go-cmp/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/gofuzz/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/gnostic/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/go-github/v53/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/go-github/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/go-querystring/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/s2a-go/LICENSE.md", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/uuid/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9812206572769953, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/google/wire/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/jinzhu/inflection/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/bmatcuk/doublestar/v4/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/go-xorm/xorm/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9953488372093023, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/inconshreveable/mousetrap/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/sirupsen/logrus/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/felixge/httpsnoop/LICENSE.txt", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/grpc-ecosystem/go-grpc-middleware/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/grpc-ecosystem/go-grpc-prometheus/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/grpc-ecosystem/grpc-gateway/LICENSE.txt", - "Name": "BSD-3-Clause", - "Confidence": 0.9906976744186047, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/grpc-ecosystem/grpc-gateway/v2/LICENSE.txt", - "Name": "BSD-3-Clause", - "Confidence": 0.9906976744186047, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/ktrysmt/go-bitbucket/LICENSE", - "Name": "Apache-2.0", - "Confidence": 0.9961783439490446, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/modern-go/concurrent/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/modern-go/reflect2/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/pjbgf/sha1cd/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/doublerebel/bellows/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/beorn7/perks/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/devtron-labs/authenticator/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/devtron-labs/common-lib/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/devtron-labs/protos/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/azure-pipeline-go/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/azure-storage-blob-go/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/go-ansiterm/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/go-autorest/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/go-autorest/autorest/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/go-autorest/autorest/adal/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/go-autorest/autorest/date/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/go-autorest/logger/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Azure/go-autorest/tracing/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Knetic/govaluate/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/iancoleman/orderedmap/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/robfig/cron/v3/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/davecgh/go-spew/LICENSE", - "Name": "ISC", - "Confidence": 0.963302752293578, - "Link": "https://spdx.org/licenses/ISC.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/evanphx/json-patch/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9906976744186047, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/googleapis/gax-go/v2/LICENSE", - "Name": "BSD-3-Clause", - "Confidence": 0.9906976744186047, - "Link": "https://spdx.org/licenses/BSD-3-Clause.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/googleapis/enterprise-certificate-proxy/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/kevinburke/ssh_config/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/coreos/go-oidc/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/docker/distribution/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/antonmedv/expr/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/skeema/knownhosts/README.md", - "Name": "Apache-2.0", - "Confidence": 0.9285714285714286, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/skeema/knownhosts/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Microsoft/azure-devops-go-api/azuredevops/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "vendor/github.com/Microsoft/go-winio/LICENSE", - "Name": "MIT", - "Confidence": 1, - "Link": "https://spdx.org/licenses/MIT.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "manifests/LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - }, - { - "Severity": "LOW", - "Category": "notice", - "PkgName": "", - "FilePath": "LICENSE", - "Name": "Apache-2.0", - "Confidence": 1, - "Link": "https://spdx.org/licenses/Apache-2.0.html" - } - ] - } - ] -}