testing

[jon-nfc]

tester

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-actions]

📝 [kubescape] _{reported by reviewdog 🐶}

C-0017 Immutable container filesystem:

Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.

Remediation: Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.

Suggested change

	securityContext:
	readOnlyRootFilesystem: true

[github-actions]

📝 [kubescape] _{reported by reviewdog 🐶}

C-0018 Configured readiness probe:

Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.

Remediation: Ensure Readiness probes are configured wherever possible.

Suggested change

	readinessProbe: YOUR_VALUE

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0013 Non-root containers:

Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.

Remediation: If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.

Suggested change

	securityContext:
	runAsNonRoot: true

Suggested change

	securityContext:
	runAsGroup: 1000

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0016 Allow privilege escalation:

Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.

Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.

Suggested change

	securityContext:
	allowPrivilegeEscalation: false

Suggested change

	securityContext:
	privileged: false

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0056 Configured liveness probe:

Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.

Remediation: Ensure Liveness probes are configured wherever possible.

Suggested change

	livenessProbe: YOUR_VALUE

[github-actions]

📝 [kubescape] _{reported by reviewdog 🐶}

C-0061 Pods in default namespace:

It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.

Remediation: Create necessary namespaces and move all the pods from default namespace there.

Suggested change

	spec:
	namespace: YOUR_NAMESPACE
	spec:

[github-actions]

📝 [kubescape] _{reported by reviewdog 🐶}

C-0076 Label usage for resources:

It is recommended to set labels that identify semantic attributes of your application or deployment. For example, { app: myapp, tier: frontend, phase: test, deployment: v3 }. These labels can used to assign policies to logical groups of the deployments as well as for presentation and tracking purposes. This control helps you find deployments without any of the expected labels.

Remediation: Define labels that are most suitable to your needs of use the exceptions to prevent further notifications.

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0260 Missing network policy:

This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.

Remediation: Review the workloads identified by this control and assess whether it's necessary to configure a network policy for them.

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0055 Linux hardening:

Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.

Remediation: You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.

Suggested change

	securityContext:
	seccompProfile: YOUR_VALUE

Suggested change

	securityContext:
	seLinuxOptions: YOUR_VALUE

Suggested change

	securityContext:
	capabilities:
	drop:
	- YOUR_VALUE

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0030 Ingress and Egress blocked:

Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.

Remediation: Define a network policy that restricts ingress and egress connections.

[github-actions]

📝 [kubescape] _{reported by reviewdog 🐶}

C-0017 Immutable container filesystem:

Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.

Remediation: Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.

Suggested change

	tolerations: []
	securityContext:
	readOnlyRootFilesystem: true
	tolerations: []

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0056 Configured liveness probe:

Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.

Remediation: Ensure Liveness probes are configured wherever possible.

Suggested change

	tolerations: []
	livenessProbe: YOUR_VALUE
	tolerations: []

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0055 Linux hardening:

Containers may be given more privileges than they actually need. This can increase the potential impact of a container compromise.

Remediation: You can use AppArmor, Seccomp, SELinux and Linux Capabilities mechanisms to restrict containers abilities to utilize unwanted privileges.

Suggested change

	tolerations: []
	securityContext:
	seccompProfile: YOUR_VALUE
	tolerations: []

Suggested change

	tolerations: []
	securityContext:
	seLinuxOptions: YOUR_VALUE
	tolerations: []

Suggested change

	tolerations: []
	securityContext:
	capabilities:
	drop:
	- YOUR_VALUE
	tolerations: []

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0013 Non-root containers:

Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.

Remediation: If your application does not need root privileges, make sure to define runAsNonRoot as true or explicitly set the runAsUser using ID 1000 or higher under the PodSecurityContext or container securityContext. In addition, set an explicit value for runAsGroup using ID 1000 or higher.

Suggested change

	tolerations: []
	securityContext:
	runAsNonRoot: true
	tolerations: []

Suggested change

	tolerations: []
	securityContext:
	runAsGroup: 1000
	tolerations: []

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0030 Ingress and Egress blocked:

Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.

Remediation: Define a network policy that restricts ingress and egress connections.

[github-actions]

📝 [kubescape] _{reported by reviewdog 🐶}

C-0061 Pods in default namespace:

It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.

Remediation: Create necessary namespaces and move all the pods from default namespace there.

Suggested change

	spec:
	namespace: YOUR_NAMESPACE
	spec:

[github-actions]

📝 [kubescape] _{reported by reviewdog 🐶}

C-0076 Label usage for resources:

It is recommended to set labels that identify semantic attributes of your application or deployment. For example, { app: myapp, tier: frontend, phase: test, deployment: v3 }. These labels can used to assign policies to logical groups of the deployments as well as for presentation and tracking purposes. This control helps you find deployments without any of the expected labels.

Remediation: Define labels that are most suitable to your needs of use the exceptions to prevent further notifications.

[github-actions]

📝 [kubescape] _{reported by reviewdog 🐶}

C-0077 K8s common labels usage:

Kubernetes common labels help manage and monitor Kubernetes cluster using different tools such as kubectl, dashboard and others in an interoperable way. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/ for more information. This control helps you find objects that don't have any of these labels defined.

Remediation: Define applicable labels or use the exception mechanism to prevent further notifications.

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0045 Writable hostPath mount:

Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.

Remediation: Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.

Suggested change

	- name: nginx-config
	readOnly: true
	- name: nginx-config

[github-actions]

⚠️ [kubescape] _{reported by reviewdog 🐶}

C-0016 Allow privilege escalation:

Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.

Remediation: If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.

Suggested change

	tolerations: []
	securityContext:
	allowPrivilegeEscalation: false
	tolerations: []

Suggested change

	tolerations: []
	securityContext:
	privileged: false
	tolerations: []