Configuration audit reports #220
Description
Hi 👋
Firstly, thanks so much for making these charts available, and for making them so configurable and easy to use!
I've deployed this chart onto a home server and run Trivy configuration audits, and found a few problems:
Replica set:
Name: replicaset-minecraft-minecraft-f9b4c8777
Report:
Checks:
Category: Kubernetes Security Check
Check ID: KSV001
Description: A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.allowPrivilegeEscalation' to false
Remediation: Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.
Severity: MEDIUM
Success: false
Title: Can elevate its own privileges
Category: Kubernetes Security Check
Check ID: KSV003
Description: The container should drop all default capabilities and add only those that are needed for its execution.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should add 'ALL' to 'securityContext.capabilities.drop'
Remediation: Add 'ALL' to containers[].securityContext.capabilities.drop.
Severity: LOW
Success: false
Title: Default capabilities: some containers do not drop all
Category: Kubernetes Security Check
Check ID: KSV004
Description: Security best practices require containers to run with minimal required capabilities.
Messages:
Container 'minecraft-minecraft' of 'replicaset' 'minecraft-minecraft-f9b4c8777' in 'minecraft' namespace should set securityContext.capabilities.drop
Remediation: Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'
Severity: LOW
Success: false
Title: Default capabilities: some containers do not drop any
Category: Kubernetes Security Check
Check ID: KSV012
Description: Force the running image to run as a non-root user to ensure least privileges.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.runAsNonRoot' to true
Remediation: Set 'containers[].securityContext.runAsNonRoot' to true.
Severity: MEDIUM
Success: false
Title: Runs as root user
Category: Kubernetes Security Check
Check ID: KSV013
Description: It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should specify an image tag
Remediation: Use a specific container image tag that is not 'latest'.
Severity: MEDIUM
Success: false
Title: Image tag ":latest" used
Category: Kubernetes Security Check
Check ID: KSV014
Description: An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.readOnlyRootFilesystem' to true
Remediation: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.
Severity: HIGH
Success: false
Title: Root file system is not read-only
Category: Kubernetes Security Check
Check ID: KSV020
Description: Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.runAsUser' > 10000
Remediation: Set 'containers[].securityContext.runAsUser' to an integer > 10000.
Severity: LOW
Success: false
Title: Runs with UID <= 10000
Category: Kubernetes Security Check
Check ID: KSV021
Description: Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should set 'securityContext.runAsGroup' > 10000
Remediation: Set 'containers[].securityContext.runAsGroup' to an integer > 10000.
Severity: LOW
Success: false
Title: Runs with GID <= 10000
Category: Kubernetes Security Check
Check ID: KSV030
Description: According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles.
Messages:
Either Pod or Container should set 'securityContext.seccompProfile.type' to 'RuntimeDefault'
Remediation: Set 'spec.securityContext.seccompProfile.type', 'spec.containers[*].securityContext.seccompProfile' and 'spec.initContainers[*].securityContext.seccompProfile' to 'RuntimeDefault' or undefined.
Severity: LOW
Success: false
Title: Runtime/Default Seccomp profile not set
Category: Kubernetes Security Check
Check ID: KSV032
Description: Containers should only use images from trusted registries.
Messages:
container minecraft-minecraft of replicaset minecraft-minecraft-f9b4c8777 in minecraft namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'
Remediation: Use images from trusted Azure registries.
Severity: MEDIUM
Success: false
Title: All container images must start with the *.azurecr.io domain
Category: Kubernetes Security Check
Check ID: KSV033
Description: Containers should only use images from trusted GCR registries.
Messages:
container minecraft-minecraft of replicaset minecraft-minecraft-f9b4c8777 in minecraft namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries
Remediation: Use images from trusted GCR registries.
Severity: MEDIUM
Success: false
Title: All container images must start with a GCR domain
Category: Kubernetes Security Check
Check ID: KSV034
Description: Container images must not start with an empty prefix or a defined public registry domain.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should restrict container image to use private registries
Remediation: Use images from private registries.
Severity: MEDIUM
Success: false
Title: Container images from public registries used
Category: Kubernetes Security Check
Check ID: KSV035
Description: Container images from non-ECR registries should be forbidden.
Messages:
Container 'minecraft-minecraft' of ReplicaSet 'minecraft-minecraft-f9b4c8777' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html
Remediation: Container image should be used from Amazon container Registry
Severity: MEDIUM
Success: false
Title: All container images must start with an ECR domain
Category: Kubernetes Security Check
Check ID: KSV039
Description: ensure limit range policy has configure in order to limit resource usage for namespaces or nodes
Messages:
limit range policy with a default request and limit, min and max request, for each container should be configure
Remediation: create limit range policy with a default request and limit, min and max request, for each container.
Severity: LOW
Success: false
Title: limit range usage
Category: Kubernetes Security Check
Check ID: KSV040
Description: ensure resource quota policy has configure in order to limit aggregate resource usage within namespace
Messages:
resource quota policy with hard memory and cpu quota per namespace should be configure
Remediation: create resource quota policy with mem and cpu quota per each namespace
Severity: LOW
Success: false
Title: resource quota usage
Category: Kubernetes Security Check
Check ID: KSV104
Description: A program inside the container can bypass Seccomp protection policies.
Messages:
container "minecraft-minecraft" of replicaset "minecraft-minecraft-f9b4c8777" in "minecraft" namespace should specify a seccomp profile
Remediation: Specify seccomp either by annotation or by seccomp profile type having allowed values as per pod security standards
Severity: MEDIUM
Success: false
Title: Seccomp policies disabled
Category: Kubernetes Security Check
Check ID: KSV106
Description: Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability.
Messages:
container should drop all
Remediation: Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL' and only add 'NET_BIND_SERVICE' to 'spec.containers[*].securityContext.capabilities.add'.
Severity: LOW
Success: false
Title: Container capabilities must only include NET_BIND_SERVICE
Scanner:
Name: Trivy
Vendor: Aqua Security
Version: 0.22.0
Summary:
Critical Count: 0
High Count: 1
Low Count: 8
Medium Count: 8Service:
Name: service-minecraft-minecraft
Report:
Checks:
Category: Kubernetes Security Check
Check ID: KSV039
Description: ensure limit range policy has configure in order to limit resource usage for namespaces or nodes
Messages:
limit range policy with a default request and limit, min and max request, for each container should be configure
Remediation: create limit range policy with a default request and limit, min and max request, for each container.
Severity: LOW
Success: false
Title: limit range usage
Category: Kubernetes Security Check
Check ID: KSV040
Description: ensure resource quota policy has configure in order to limit aggregate resource usage within namespace
Messages:
resource quota policy with hard memory and cpu quota per namespace should be configure
Remediation: create resource quota policy with mem and cpu quota per each namespace
Severity: LOW
Success: false
Title: resource quota usage
Scanner:
Name: Trivy
Vendor: Aqua Security
Version: 0.22.0
Summary:
Critical Count: 0
High Count: 0
Low Count: 2
Medium Count: 0